Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 Overview 2 Event logs 3 Security analysis 4 Regulatory requirements 5 Standardization 6 See also 7 References 8 External links

Security event management

●Français Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia (Redirected from Security event manager)

Security event management (SEM), and the related SIM and SIEM, are computer security disciplines that use data inspection tools to centralize the storage and interpretation of logs or events generated by other software running on a network.^[1]^[2]^[3]

Overview[edit]

The acronyms SEM, SIM and SIEM have sometimes been used interchangeably,^[3]^: 3^[4] but generally refer to the different primary focus of products:

Log management: Focus on simple collection and storage of log messages and audit trails^[5]
Security information management (SIM): Long-term storage as well as analysis and reporting of log data.
Security event manager (SEM): Real-time monitoring, correlation of events, notifications and console views.
Security information and event management (SIEM): Combines SIM and SEM and provides real-time analysis of security alerts generated by network hardware and applications.^[6]^[7]

Event logs[edit]

Many systems and applications which run on a computer network generate events which are kept in event logs. These logs are essentially lists of activities that occurred, with records of new events being appended to the end of the logs as they occur. Protocols, such as syslog and SNMP, can be used to transport these events, as they occur, to logging software that is not on the same host on which the events are generated. The better SEMs provide a flexible array of supported communication protocols to allow for the broadest range of event collection.

It is beneficial to send all events to a centralized SEM system for the following reasons:

Access to all logs can be provided through a consistent central interface.
The SEM can provide secure, forensically sound storage and archival of event logs (this is also a classic log management function).
Powerful reporting tools can be run on the SEM to mine the logs for useful information.
Events can be parsed as they hit the SEM for significance, and alerts and notifications can be immediately sent out to interested parties as warranted.
Related events which occur on multiple systems can be detected which would be very difficult to detect if each system had a separate log.
Events which are sent from a system to a SEM remain on the SEM even if the sending system fails or the logs on it are accidentally or intentionally erased.

Security analysis[edit]

Although centralised logging has existed for long time, SEMs are a relatively new idea, pioneered in 1999 by a small company called E-Security,^[8] and are still evolving rapidly. The key feature of a Security Event Management tool is the ability to analyse the collected logs to highlight events or behaviors of interest, for example an Administrator or Super User logon, outside of normal business hours. This may include attaching contextual information, such as host information (value, owner, location, etc.), identity information (user info related to accounts referenced in the event like first/last name, workforce ID, manager's name, etc.), and so forth. This contextual information can be leveraged to provide better correlation and reporting capabilities and is often referred to as Meta-data. Products may also integrate with external remediation, ticketing, and workflow tools to assist with the process of incident resolution. The better SEMs will provide a flexible, extensible set of integration capabilities to ensure that the SEM will work with most customer environments.

Regulatory requirements[edit]

This section needs expansion. You can help by adding to it. (May 2018)

SEMs are often sold to help satisfy U.S. regulatory requirements such as those of Sarbanes–Oxley, PCI-DSS, GLBA.^{[citation needed]}

Standardization[edit]

One of the major problems in the SEM space is the difficulty in consistently analyzing event data. Every vendor, and indeed in many cases different products by one vendor, uses a different proprietary event data format and delivery method. Even in cases where a "standard" is used for some part of the chain, like Syslog, the standards don't typically contain enough guidance to assist developers in how to generate events, administrators in how to gather them correctly and reliably, and consumers to analyze them effectively.

As an attempt to combat this problem, a couple of parallel standardization efforts are underway. First, The Open Group is updating their circa 1997 XDAS standard, which never made it past draft status. This new effort, dubbed XDAS v2, will attempt to formalize an event format including which data should be included in events and how it should be expressed.^{[citation needed]} The XDAS v2 standard will not include event delivery standards but other standards in development by the Distributed Management Task Force may provide a wrapper.

In addition, MITRE developed efforts to unify event reporting with the Common Event Expression (CEE) which was somewhat broader in scope as it attempted to define an event structure as well as delivery methods. The project, however, ran out of funding in 2014.

References[edit]

^ "Security Event Management". Archived from the original on 2014-10-19. Retrieved 2013-07-17. SIEM

^ "Preparing for Security Event Management" (PDF). 360 Information Security Ltd. Archived from the original (PDF) on Jun 22, 2023.

^ ^a ^b Swift, David (26 December 2006). "A Practical Application of SIM/SEM/SIEM, Automating Threat Identification" (PDF). SANS Institute. Retrieved 14 June 2024.

^ Kelley, Diana (March 2004). "Report: Security Management Convergence via SIM (Security Information Management)—A Requirements Perspective". Journal of Network and Systems Management. 12 (1): 137–144. doi:10.1023/B:JONS.0000015702.05980.d2. ISSN 1064-7570. S2CID 1204926.

^ http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf ^{[bare URL PDF]}

^ "SIEM: A Market Snapshot". Dr.Dobb's Journal. 5 February 2007.

^ The Future of SIEM - The market will begin to diverge

^ "Novell buys e-Security", 2006, ZDNet

External links[edit]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Security_event_management&oldid=1229093597" Category: ●Computer security software Hidden categories: ●All articles with bare URLs for citations ●Articles with bare URLs for citations from March 2022 ●Articles with PDF format bare URLs for citations ●Articles to be expanded from May 2018 ●All articles to be expanded ●Articles using small message boxes ●All articles with unsourced statements ●Articles with unsourced statements from January 2016 ●Articles with unsourced statements from September 2019 ●This page was last edited on 14 June 2024, at 20:37 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view