This month we look at security information and event management (SIEM) tools. The history of this product group is as interesting as that of last month’s UTMs. SIEMs evolved from security event management (SEM) tools. However, today’s SIEMs are a lot more than just event managers. The products that we are seeing are really a combination of log management, event and flow correlation, and cyber situational awareness tools.
That’s really an important distinction, by the way, as cyber situational awareness is the cornerstone of event management. The SIEM takes in data from wherever it can get it and correlates the input according to rules set up by the organization. Often this means that the SIEM has to take device inventory, vulnerability testing and flow data into account, as well as event data from firewalls, system logs and intrusion detection systems. This means that, in a perfect world, at least, every device on the enterprise is potentially a sensor for the SIEM.
However, these tools are no better than the sensors attached to them. That means that when selecting a SIEM, users should be certain that the device selected can take input from everything on the enterprise network from which security information must be gathered. In the case of a SIEM, the more data points it can look at, the better job it will do. And what, exactly, is the SIEM’s job?
SIEMs often are thought of as alerting tools for large, complicated networks. That is, certainly, one extremely important facet of what it is all about. But there is a lot more. The biggest additional task that a competent SIEM will perform is forensic in nature. Because the SIEM probably is the only thing that sees everything on the enterprise, it has great potential to assist in the forensic reconstruction of a security event.
Probably the biggest barrier to deploying a SIEM in a smaller organization, besides cost, is lack of sensors. Since these offerings don’t usually generate their own data, lack of sensors is a drawback. Those that accept data from a variety of sources – including events and flow data, as well as vulnerabilities and inventory – can generate risk profiles. If we think of the events as threat data and the vulnerabilities as vulnerability data, we have the two main types of data that define risks.
So, with that we’ll launch into our product reviews. We have a good crop this month, so please read on.