This month we say farewell to our lab manager of many years, Mike Stephenson, and we hail our new lead reviewer Jim Hanlon. Mike is moving on to bigger, if not better, things and Jim has been with us as a reviewer for some time, so you’ve seen his work in previous issues. John Aitken, who has been handling operations, will move into the lab manager spot and will be supported technically by Jim.
Jim’s first task was to organize this month’s reviews of SIEM tools and I believe that you are going to like the results. We first started looking at SIEMs when they still were called multipurpose appliances. That moniker evolved to what we now call UTMs. Really, the SIEM is an amalgam of security information monitoring and security event monitoring. These product types existed independently and then combined. The first real SIEM products launched in 1996.
When log management integrated with SIEMs, things started to get rather interesting – especially since SIEMs can ingest a lot of data in a pretty short time. And, it wants to get that data – or, at least you want it to get that data – from as many sources as possible. That means lots of logs in lots of different formats. Even though good SIEM products spit out most of their data in highly abbreviated form – metadata and the like – we still need to be able to drill down to the source data to get the whole picture. That translates into lots of storage and it means log management.
Another tough area for SIEMs is data visualization. Seeing lots of data in context can be quite challenging. Make sure that you have selected a product that you can understand rapidly. When you are in the middle of an event, you don’t want to have to figure out how to see what’s going on.
With all of that said, and much more to come in the reviews, SIEMs today are powerful beasts and they are necessary – if not always sufficient – for the protection of your enterprise in this rapidly changing era of professional attackers. They are, in the strictest sense, monitoring, logging and alerting tools that get their power through aggregation of the outputs of many single point loggers. But, regardless of where they get their power, they are important to your security architecture. And we trust that in this month’s batch of products you will find the SIEM that fits your needs.