Guide to Security Information Management
The simple facts behind security information management
Security event correlation comes from net management lineageBy Denise Dubie
Security information management (SIM) products – also known as SEM, ESM and SEIM – find their roots in network-management technologies.
SIM software, sometimes packaged by vendors on optimized appliances, uses product architectures similar to those found in traditional network-management tools but incorporates security intelligence, threat knowledge and compliance expertise to help IT executives better manage their security infrastructure and potential enterprise risk. The security-management market evolved earlier in the decade to reduce the manual effort involved in collecting log data from security and network devices.
"Security people thrive on information. But more-complex security infrastructure means that security teams have reams of data to plow through to get to the nuggets of information that they need, whether that be information to identify a threat, investigate an incident, respond to an audit request or to just demonstrate to management that they are doing a good job," says Paul Stamp, a principal analyst with Forrester Research.
Today's tools automatically collect syslog events and application security-related data from PCs, servers and other networked devices to help IT executives stay in front of threats. The products include event aggregation and correlation features to help automate the process of collecting and analyzing the data contained in device logs and syslogs from servers. Many vendors also supply reporting software specific to regulatory-compliance standards.
A primary similarity between SIM and network- and system-management tools is product design. For instance, security-management products typically consist of server software, agent software installed either on servers close to the devices they are monitoring or the devices themselves, and a centralized Web-based management console, from which IT manager configure and administer the product and view reports. In view of the raw log data required to comply with regulations, many SIM products include additional storage capacity and data repositories.
To help IT managers understand threats across their environment, the technologies collect log data, apply data aggregation and event-correlation features to event and security logs generated from firewalls, proxy servers, intrusion-detection and -prevention systems and antivirus software. SIM vendors work to support specific vendor products, such as Cisco routers, Check Point firewalls or Microsoft domain controllers to make collecting logs from them systems easier.
IT managers can work with their vendor to request support for specific network or security logs, but even with such support IT managers when deploying the technology must configure devices and systems to expose the log data to the SIM product. Then the software normalizes, or translates, the log data formats from Cisco, Microsoft, Check Point and other data sources into one common language so that they can be properly correlated.
Many SIM suites include multiple applications to address different event-management and security-threat issues. For instance, a suite could include an event manager designed to collect the network and security events and display data related to them in a management console. A suite might also have an intrusion-detection piece that scans the collected logs for known threats or anomalous behavior that could pose a risk to the environment. An increasing number of SIM products feature log management -- if not a stand-alone log-management application -- to handle the proper storage and archiving of all logs captured across multiple devices and systems.
"SIM [products] have to be life-cycle products. A lot of SIM vendors call log management complementary; that's simply a sign that they haven't finished their products," says Joel Snyder, a senior partner with Opus One. "You have to have SIM that can take you from 'get a syslog' all the way to 'generate compliance reports' and everything in between."