As is often the case in the technology industry, the details surrounding security information and event management can be a little unclear. While vendors may offer solutions of varying complexity, there is still a basic idea behind most SIEM products: They centralize network activity into a format that is more easily digestible. SC Magazine’s Peter Stephenson highlighted a few features that SIEM products usually come equipped with:
- Ability to send alerts based on predefined settings
- Reporting functionality to ease the burden of compliance and audits
- Ability to look at data in varying levels of detail
If you’re thinking that sounds a lot like an intrusion detection system, you would be right.
IDS on Steroids
However, it’s the amount and variety of data that differentiates SIEM products from other security tools. As Stephenson put it, they’re “a sort of intrusion detection system on steroids.” These products also standardize different data sets so that the technology’s analysis algorithms can use the information together. This forms a more complete picture of network activity and security events.
Many organizations will also need to consider the compliance implications of a SIEM product. While these solutions do not have to be purpose-built to satisfy specific regulatory needs, it’s important to ensure that they collect and analyze the type of data that would be required in an audit. Activities such as object and user profile changes should all be monitored and well documented.
Is SIEM Necessary?
SIEM may not be a new technology, but it has evolved due to widespread adoption. According to a 2012 report from Info-Tech Research Group, interest in these solutions surged noticeably within a year and a half. This led to large changes in the market itself.
Some technology vendors have questioned whether SIEM actually provides value or is an outdated solution. However, answering this question requires an understanding of how SIEM should be used.
As Gartner research director Anton Chuvakin explained, SIEM is not intended to stop hackers because it is a monitoring solution – one that has grown in effectiveness as the technology matured.
Like any other security solution, SIEM should be considered a single tool within a large toolbox. If used on its own, it will not be effective in mitigating every risk that organizations face, but used in concert with other solutions, SIEM can be an essential component of a comprehensive IT security strategy.
Interact is PowerTech’s real-time IBM i security event monitor that allows users to monitor, capture, and send security-related events from their IBM i servers directly to SIEM solutions. Interact recently received HP ArcSight Comment Event Format (CEF) certification.