SIEM – Alert Management

  • Installation or evaluation of alert management tools such as a log collector or SIEM (Security Information Event Management).
  • Proposed indicators of safety measures usable with dashboards.

    Definition of SIEM

    Security Management Approach, Security Information and Event Management – or SIEM (Security Information and Event Management) – provides a holistic view of a company’s IT security.

    The SIEM principle consists in examining from a single point of view the data relating to the safety of the company which is generated in many points. This approach facilitates the identification of possible trends and unusual patterns.
    A SIEM solution combines information management (SIM), Security Information Management (SEM) and event management (SEM) functions within a single security management system.
    An SEM system centralizes the storage and interpretation of logs, and allows real-time quasi-real-time analysis. This allows security personnel to take defensive action faster.

    A SIM system collects data and places it in a central repository for trend analysis. Compliance reporting is automated and centralized. By combining these two functions, SIEM accelerates the identification and analysis of security events, as well as the ensuing restoration. They enable managers to meet the company’s legal compliance requirements.

    In addition, SIEM collects all security-related documents, including logs, for analysis. Most SIEM systems work by deploying a multitude of collection agents in a hierarchical manner. These agents collect security-related events on users’ devices, servers, network equipment, and even specialized security equipment, such as firewalls, anti-virus and anti-intrusion systems. Collectors installed in this way forward events to a centralized management console that performs inspections and reports anomalies.

    To enable the system to identify abnormal events, it is important that the SIEM administrator first develop a profile of the system under normal operating conditions.

    At the most basic level, a SIEM system can be rule-based or use a statistical correlation engine to establish relationships between event log entries. In some systems pretreatment may occur at the collectors. Only certain events are then transmitted to the centralized administration node. This pre-processing reduces the amount of information communicated and stored. However, this approach carries the risk of filtering relevant events too early.

    In general, the deployment of SIEM systems is costly, while their administration and operation are complex.

    While PCI DSS (Payment Card Industry Data Security Standard) compliance generally favors the adoption of such a solution in large enterprises, many SMEs are concerned about persistent advanced threats (APTs) Are beginning to examine the benefits that managed security service providers offering the SIEM approach can offer.