Share this article:

This month we look at security information and event management (SIEM) tools. The history of this product group is as interesting as that of last month's UTMs. SIEMs evolved from security event management (SEM) tools. However, today's SIEMs are a lot more than just event managers. The products that we are seeing are really a combination of log management, event and flow correlation, and cyber situational awareness tools.

That's really an important distinction, by the way, as cyber situational awareness is the cornerstone of event management. The SIEM takes in data from wherever it can get it and correlates the input according to rules set up by the organization. Often this means that the SIEM has to take device inventory, vulnerability testing and flow data into account, as well as event data from firewalls, system logs and intrusion detection systems. This means that, in a perfect world, at least, every device on the enterprise is potentially a sensor for the SIEM.

However, these tools are no better than the sensors attached to them. That means that when selecting a SIEM, users should be certain that the device selected can take input from everything on the enterprise network from which security information must be gathered. In the case of a SIEM, the more data points it can look at, the better job it will do. And what, exactly, is the SIEM's job?

SIEMs often are thought of as alerting tools for large, complicated networks. That is, certainly, one extremely important facet of what it is all about. But there is a lot more. The biggest additional task that a competent SIEM will perform is forensic in nature. Because the SIEM probably is the only thing that sees everything on the enterprise, it has great potential to assist in the forensic reconstruction of a security event.

Probably the biggest barrier to deploying a SIEM in a smaller organization, besides cost, is lack of sensors. Since these offerings don't usually generate their own data, lack of sensors is a drawback. Those that accept data from a variety of sources – including events and flow data, as well as vulnerabilities and inventory – can generate risk profiles. If we think of the events as threat data and the vulnerabilities as vulnerability data, we have the two main types of data that define risks. 

So, with that we'll launch into our product reviews. We have a good crop this month, so please read on.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in Reviews

Sign up to our newsletters

More in Reviews

Protecting email both ways

Protecting email both ways

Protecting your organization from attacks brought into the system by email is an ongoing challenge, says Peter Stephenson, technology editor.

Attestation at its best

Attestation at its best

Private Core vCage protects systems. It's a little complicated under the covers, but in practical use is simplicity itself.

Mobile devices are the new endpoints...and both need protecting

Mobile devices are the new endpoints...and both need ...

The use of social media spreads throughout the internet and cares little if the participants are Joe and Jane or the Massive Big Company. They're all swimming in the same ...