As networks grow and become more complex, so too does the amount of data they produce. Everything, from switches to databases, produces event logs. Part of operating a secure infrastructure is collecting, reviewing and managing the deluge of event data. Security Information Management (SIM) or Security Event Management (SEM) (sometimes combined to SIEM) can provide automated methods to gather, normalize, store and analyze event and log data.

SIM provides an enterprise-wide security monitoring and administration solution that collects data on events, analyzes the data, and provides a suitable response to threats on enterprise assets. It is positioned as a security information management tool that can be used by enterprise-class network management centers or managed security service providers with interest in protecting physical and/or logical assets.

SIM Features

A good SIM deployment can offer many strong benefits, including:

• Event/log storage & archiving
  A good SIM provides a common platform for gathering, normalizing, and archiving logs and event data.
• Event aggregation and filtering
  A SIM helps locate key events in a deluge of noise.
• Searching & analysis
  SIM products automate searching and analyzing event data.
• Reporting
  A SIM can help establish metrics for analyzing IT and security performance.
• Proactive alerting
  A good SIM provides real-time alerts regarding potentially dangerous activity.
• Incident Response
  A well managed SIM provides valuable information to security analysts in the event of a security incident.
• Compliance
  Many regulations require log and event management of some type. A SIM installation can help achieve compliance (it will not guarantee it).
• Insight
  Properly used, a SIM can give network security staff unique insight into operations and help troubleshoot problems.
• Increased efficiency
  A well implemented SIM can help optimize staff resources required to investigate and analyze security and network incidents.

Log Management vs. SIM

Log Management (LM) and SIM are very different technologies. LM products are centralized repositories for logs generated throughout the enterprise. LM will parse and normalize data for long-term storage. Some LM products include basic reporting, searching and analysis tools.

SIM products offer the same basic functionality as LM products, but offer deeper analytical and alerting capabilities, often correlating data across multiple data sources to identify potential security events.

Log Management Features

Some of the common functions of a log management system include:

• Event/log storage & archiving
  A good LM will provide a common platform for gathering, normalizing, and archiving logs and event data.
• Event aggregation and filtering
  Some LM products can perform basic event filtering and aggregation capabilities.
• Reporting
  Most LM products have rudimentary reporting capabilities.
• Incident response
  LM products can be helpful when tracking down incidents, as all the event log data is in one place.
• Searching & analysis
  Most LM products have some basic search and analytical tools.

For more information, please call 888.ANITIAN, or email Anitian Enterprise Security.