What is a SIEM?

The Security Information and Event Management systems (SIEM) ensure collection and analysis of activity traces (logs, netflows, etc.) of hosts and application infrastructure to provide a unified vision of the management of the security of the information system.

The term was coined in 2005 by Mark Nicolett and Amrit Williams, two Gartner analysts. At the time, two complementary but distinct solutions manage the security data of information systems:

• The SEM (Security Event Management) which offers real-time event processing to extract, normalize, correlate and report alerts to the operators in a management console.
• The SIM (Security Information Management) which offers storage capacities and indexing of all traces of systems for analysis and reporting. They are capable of simple ex post correlations and are often oriented towards conformity (eg PCIDSS). SIMs are also called “Log Management” tools.

Nicolett and Williams highlight the need to combine these two tools to improve security management and invented the term SIEM.

The role of SIM and SEM sometimes overlap as to the collection for example, but they each assure very specific functions.

The role of SIM is to manage raw logs:

• It can store very large volumes of unstructured raw data (usually from cutting logs)
• It sometimes offers a standards format, but this format is generally very simplistic and close to syslog
• It provides indexing and research capacity at the end of analysis and forensic
• It is a tool rather intended for level 2 operators and experts

The role of SEM, however, is to work in real time:

• It can handle a very large volume of data in real time
• When it identifies suspicious events, it normalizes and enriches a dedicated intrusion detection format (IDMEF standard for Prelude SIEM)
• It offers advanced real-time correlation capabilities
• Finally it has tools for monitoring and operation of notifications: notification, ticket management and workflow

Note: Compared to the definition of 2005, we must add today in the features list of SIEM the CTI (Cyber Threat Intelligence) or external features of artificial intelligence such as machine learning to improve detection capabilities.

It is possible to monitor the security of an information system with only one SIM but this will require more work and greater competence to analyze the  gathered data, or only with a SEM, but no long-term storage may penalize you for analysis and forensic. Today the best insurance to detect the maximum of anomalies, intrusion attempts or APT (Advanced Persistent Threat) is to combine the SIM and SEM functions into a single tool as do modern SIEMs including Prelude SIEM.