An Analysis of Security Information and Event Management Systems - The Use or SIEMs for Log Collection, Management and Analysis

Abstract

In today's computer network environments huge amounts of security log data are produced. To handle this data and provide an increased level of information security and centralised log management and analysis Security Information and Event Management Systems (or SIEMs) can be used. SIEMs can help organisations that struggle with the various compliance regulations that exist and reduce the risk of intrusions into the network. SIEMs collect and aggregate log data from various devices and applications through software called agents, filter uninteresting data and normalise to a proprietary format, analyse through correlation using contextual information and alert administrators in case of attack. Log data is stored using special security mechanisms in so called write-once-read-many media for compliance reasons. In this paper special attention is also given to security at the log source. An overview of the market is detailed as are suggestions on how to organise the environment around the SIEM and what log data that is worthy of analysis. It is forecasted that compliance will continue to be the most important motivator for procuring SIEMs. The usability and scalability is anticipated to increase as the market continues to grow rapidly and standardisation will become a key factor. More focus will be on incorporating contextual information into the analysis process, especially for identity and access management. Supported types of log sources will increase in number and policy oriented automated response capabilities will be developed.