Security Event Manager
Encyclopedia
A security event manager (SEM) (acronyms SIEM and SIM
) is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software running on the network.
SEMs are a relatively new idea, pioneered in 1999 by a small company called E-Security, and in 2010 are still evolving rapidly. Just a year or two ago they were called security information managers
(SIMs) and are also called security information and event managers
(SIEMs). An adjacent, but somewhat different market also exists for Log Management; although these two fields are closely related, Log Management typically focuses on collection and storage of data whereas SEM focuses on data analysis. Some vendors specialize in one market or the other and some do both, or have complementary products.
Many systems and applications which run on a computer network generate events which are kept in event logs. These logs are essentially lists of activities that occurred, with records of new events being appended to the end of the logs as they occur. Protocols
, such as Syslog
and SNMP
, can be used to transport these events, as they occur, to logging software that is not on the same host on which the events are generated. The better SEMs provide a flexible array of supported communication protocols to allow for the broadest range of event collection.
It is beneficial to send all events to a centralized SEM system for the following reasons:
In addition to collecting and storing data, SEMs distinguish themselves from simpler Log Management tools by providing a deeper level of event analysis. This may include attaching contextual information, such as host information (value, owner, location, etc), identity information (user info related to accounts referenced in the event like first/last name, workforce ID, manager's name, etc), and so forth. This contextual information can be leveraged to provide better correlation and reporting capabilities.
SEMs can also integrate with external remediation, ticketing, and workflow tools to assist with the process of incident resolution. The better SEMs will provide a flexible, extensible set of integration capabilities to ensure that the SEM will work with most customer environments.
As SEM deployments move beyond logging infrastructural events from routers, switches, servers, firewalls, and so forth, the ability to properly monitor business applications becomes crucial. Since most applications - especially those developed internally or by external software developers - do not include detailed logging it has become a challenge to incorporate this critical data into SEM products. Potential solutions to this challenge are based on network sniffing or other technologies.
SEMs are often sold to help satisfy U.S. regulatory requirements such as those of Sarbanes-Oxley
, PCI-DSS
, GLBA; in general the solutions these products can provide extend only to enhanced monitoring and analysis of enterprise computing activity; SEM is not a "magic bullet" for compliance but can be helpful in generating reports to support a limited set of controls.
, the standards don't typically contain enough guidance to assist developers in how to generate events, administrators in how to gather them correctly and reliably, and consumers to analyze them effectively.
As an attempt to combat this problem, a couple parallel standardization efforts are underway. First, The Open Group
is updating their circa 1997 XDAS standard, which never made it past draft status. This new effort, dubbed XDAS v2, will attempt to formalize an event format including which data should be included in events and how it should be expressed. The XDAS v2 standard will not include event delivery standards but other standards in development by DMTF may provide a wrapper.
In addition, MITRE
is also in the midst of a standardization effort called CEE
that is somewhat broader in scope - it attempts to define an event structure as well as delivery methods.
Security Event Manager
A security event manager is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software running on the network....
) is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software running on the network.
SEMs are a relatively new idea, pioneered in 1999 by a small company called E-Security, and in 2010 are still evolving rapidly. Just a year or two ago they were called security information managers
Security Information Management
Security information management is the industry-specific term in computer security referring to the collection of data into a central repository for trend analysis...
(SIMs) and are also called security information and event managers
Security Information and Event Management
Security Information and Event Management solutions are a combination of the formerly disparate product categories of SIM and SEM...
(SIEMs). An adjacent, but somewhat different market also exists for Log Management; although these two fields are closely related, Log Management typically focuses on collection and storage of data whereas SEM focuses on data analysis. Some vendors specialize in one market or the other and some do both, or have complementary products.
Many systems and applications which run on a computer network generate events which are kept in event logs. These logs are essentially lists of activities that occurred, with records of new events being appended to the end of the logs as they occur. Protocols
Communications protocol
A communications protocol is a system of digital message formats and rules for exchanging those messages in or between computing systems and in telecommunications...
, such as Syslog
Syslog
Syslog is a standard for computer data logging. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them...
and SNMP
Simple Network Management Protocol
Simple Network Management Protocol is an "Internet-standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more." It is used mostly in network management systems to monitor...
, can be used to transport these events, as they occur, to logging software that is not on the same host on which the events are generated. The better SEMs provide a flexible array of supported communication protocols to allow for the broadest range of event collection.
It is beneficial to send all events to a centralized SEM system for the following reasons:
- Access to all logs can be provided through a consistent central interface
- The SEM can provide secure, forensically sound storage and archival of event logs (this is also a classic Log Management function)
- Powerful reporting tools can be run on the SEM to mine the logs for useful information
- Events can be parsed as they hit the SEM for significance, and alerts and notifications can be immediately sent out to interested parties as warranted
- Related events which occur on multiple systems can be detected which would be impossible to detect if each system had a separate log
- Events which are sent from a system to a SEM remain on the SEM even if the sending system fails or the logs on it are accidentally or intentionally erased
In addition to collecting and storing data, SEMs distinguish themselves from simpler Log Management tools by providing a deeper level of event analysis. This may include attaching contextual information, such as host information (value, owner, location, etc), identity information (user info related to accounts referenced in the event like first/last name, workforce ID, manager's name, etc), and so forth. This contextual information can be leveraged to provide better correlation and reporting capabilities.
SEMs can also integrate with external remediation, ticketing, and workflow tools to assist with the process of incident resolution. The better SEMs will provide a flexible, extensible set of integration capabilities to ensure that the SEM will work with most customer environments.
As SEM deployments move beyond logging infrastructural events from routers, switches, servers, firewalls, and so forth, the ability to properly monitor business applications becomes crucial. Since most applications - especially those developed internally or by external software developers - do not include detailed logging it has become a challenge to incorporate this critical data into SEM products. Potential solutions to this challenge are based on network sniffing or other technologies.
SEMs are often sold to help satisfy U.S. regulatory requirements such as those of Sarbanes-Oxley
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
, PCI-DSS
PCI DSS
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....
, GLBA; in general the solutions these products can provide extend only to enhanced monitoring and analysis of enterprise computing activity; SEM is not a "magic bullet" for compliance but can be helpful in generating reports to support a limited set of controls.
Standardization
One of the major problems in the SEM space is the difficulty in consistently analyzing event data. Every vendor, and indeed in many cases different products by one vendor, uses a different proprietary event data format and delivery method. Even in cases where a "standard" is used for some part of the chain, like SyslogSyslog
Syslog is a standard for computer data logging. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them...
, the standards don't typically contain enough guidance to assist developers in how to generate events, administrators in how to gather them correctly and reliably, and consumers to analyze them effectively.
As an attempt to combat this problem, a couple parallel standardization efforts are underway. First, The Open Group
The Open Group
The Open Group is a vendor and technology-neutral industry consortium, currently with over three hundred member organizations. It was formed in 1996 when X/Open merged with the Open Software Foundation...
is updating their circa 1997 XDAS standard, which never made it past draft status. This new effort, dubbed XDAS v2, will attempt to formalize an event format including which data should be included in events and how it should be expressed. The XDAS v2 standard will not include event delivery standards but other standards in development by DMTF may provide a wrapper.
In addition, MITRE
MITRE
The Mitre Corporation is a not-for-profit organization based in Bedford, Massachusetts and McLean, Virginia...
is also in the midst of a standardization effort called CEE
Cee
Cee or CEE may refer to:* Cee, Galicia, a municipality in the province of A Coruña, Galicia, Spain* C, third letter of the English alphabet* Central and Eastern Europe, a region encompassing former Eastern Bloc countries...
that is somewhat broader in scope - it attempts to define an event structure as well as delivery methods.
See also
- Computer security incident managementComputer security incident managementIn the fields of computer security and information technology, computer security incident management involves the monitoring and detection of security events on a computer or computer network, and the execution of proper responses to those events...
- Security information managementSecurity Information ManagementSecurity information management is the industry-specific term in computer security referring to the collection of data into a central repository for trend analysis...
- Comparison of network monitoring systemsComparison of network monitoring systemsThis is a comparison of some notable network monitoring systems.- Legend :Product Name : The name of the software, linked to its Wikipedia article...
- Security Information and Event ManagementSecurity Information and Event ManagementSecurity Information and Event Management solutions are a combination of the formerly disparate product categories of SIM and SEM...