What is a SIEM ?| Definition
Security information and event management systems (SIEM) collect and analyze activity tracks (logs, netflows, etc.) of hosts and infrastructure applications to ensure a unified vision of information system security management for operations.
The term was coined in 2005 by Mark Nicolett and Amrit Williams, two Gartner analysts. At the time, two complementary solutions were available to monitor network security:
- SEM (Security Event Management) provides real-time event processing to extract alerts, normalize them, correlate them and notify operators in real time of threats within an administration console.
- SIM (Security Information Management) provide the capacity to stock and index all system tracks for analysis, reporting and compliance purposes. SIM have few correlation capabilities but not in real time and are often compliance-oriented (e.g. PCIDSS). SIM are also called "Log Management" tools.
Nicolett and Williams highlight the need to combine these two tools to better manage security and invented the term SIEM.
The role of the SIM is to manage the history of the tracks:
- It must be able to store very large volumes of data
- It sometimes proposes a normalization format but this format is generally very simplistic and close to syslog
- It offers indexing and search capabilities for analysis and forensic purposes
- It is a tool intended for level 2 operators and experts.
The role of the SEM on the contrary is to work in real time:
- It must be able to process a very large volume of data in real time
- When it identifies suspicious events it normalizes them and enriches them in a format dedicated to intrusion detection
- It must offer advanced correlation capabilities
- Finally, it must offer all the tools necessary for monitoring and exploiting alerts: notification, ticket and worflow management.
Remark : Compared to the 2005 definition, SIEM capabilities now include combination capabilities with external Cyber Threat Intelligence (CTI) or Artificial Intelligence functionalities such as machine learning to improve detection capabilities.
It is possible to monitor your security with only a SIM but this will require more work and greater skill, or only with an SEM but the lack of long-term storage can penalize you for analysis and forensic. Today the best insurance to detect the maximum number of anomalies, intrusion attempts or APT (Advanced Persistent Threat) is to combine SIM and SEM functions in a single tool as do SIEMs like Prelude SIEM.