An Analysis of Security Information and Event Management Systems - The Use or SIEMs for Log Collection, Management and Analysis

Abstract: In today's computer network environments huge amounts of security log data areproduced. To handle this data and provide an increased level of information securityand centralised log management and analysis Security Information and EventManagement Systems (or SIEMs) can be used. SIEMs can help organisations thatstruggle with the various compliance regulations that exist and reduce the risk ofintrusions into the network. SIEMs collect and aggregate log data from variousdevices and applications through software called agents, filter uninteresting data andnormalise to a proprietary format, analyse through correlation using contextualinformation and alert administrators in case of attack. Log data is stored using specialsecurity mechanisms in so called write-once-read-many media for compliancereasons. In this paper special attention is also given to security at the log source. Anoverview of the market is detailed as are suggestions on how to organise theenvironment around the SIEM and what log data that is worthy of analysis. It isforecasted that compliance will continue to be the most important motivator forprocuring SIEMs. The usability and scalability is anticipated to increase as the marketcontinues to grow rapidly and standardisation will become a key factor. More focuswill be on incorporating contextual information into the analysis process, especiallyfor identity and access management. Supported types of log sources will increase innumber and policy oriented automated response capabilities will be developed.