SIEM

The complexity of the enterprise business architecture has been growing exponentially on account of increasing globalization and adoption of borderless enterprise models. It has grown multi fold to include systems like firewalls, intrusion detection systems, intrusion prevention systems, routers and many more devices. These devices generate information and alerts, which when analyzed in real-time provide actionable insights capable of detecting security threats s that are more diffused and more distributed in nature. The need of the hour is a collection of all potentially useful security information as well as tools that can interpret such information generated by all the software on any given network. This is where Security Information and Event Management (SIEM) comes in.

The collection of data like log files into a centralized repository to analyze trends for information security comprises Security Information management (SIM). Tools used on enterprise data networks for centralizing the storage and interpretation of logs or events by other software running on the same network are called Security Event Managers (SEM’s). The combined use of both for enterprise security is called Security Information and Event Management (SIEM).

How does an SIEM system work for security management

A SIEM system, deploys multiple programs called agents or intelligent agents (these programs automatically gather information based on pre-determined parameters) in a hierarchical order depending on the relative importance of the type of information that is collected through them. These agents collect security related events from end user devices, servers/security equipment, and forward events to a centralized console which analyzes this data. The centralized console flags anomalies by comparing the analyzed information with the profile of the system under normal circumstances, which is usually programmed into it by the administrator.

How do you choose an SIEM product

The key points to keep in mind while selecting a SIEM product are the following –

• It should be able to understand and analyze the logs of all the devices supported by the software solution. It should have a customizable option that can allow the creation of administrator’s own device category. Also, it will be good to have a product that accepts non-standard format logs from legacy devices.
• The solution should integrate with the existing tools.
• The solution should be able to support multiple groups and segregate groups based on departments, geographies and other such categories.
• The solution should be able to provide reports based on the hierarchies in the organization. The higher management should get high level summaries but at the same time the security technicians should get in- depth, detailed read outs.
• It should be compliant with regulatory requirements by supporting and understanding these mandatory parameters.
• The solution should be able to define the importance/ criticality of the devices which will allow the rating of the alert in terms of the severity.

What is the future of SIEM

In the future, SIEM will further bolster the insights provided for security by the separation of security information and events. This might get developed into a distinct service inside the perimeter of the Enterprise IT environment. The accuracy and depth of the insights generated by the SIEM systems will further increase in the future with the increasing fidelity of the data collected by the SIEM systems. As of now it is not an “install and forget” technology as it needs staff skilled in statistics and mathematics, but we can expect it to be a self-driven system in the time to come.