Security Information and Events Management (SIEM)
Incorporates three types of security tools into a single application:
Security Event Management (SEM).
Very similar to LMS.
Aggregates log files from multiple systems, but they are more geared towards the needs of IT security analysts instead of system administrators.
Security Information Management (SIM).
Software tools used to identify, collect, and analyze data from event logs.
Include automated features and alerts that can be triggered when predetermined conditions are satisfied that might indicate that the network is compromised.
Help security analysts automate the incident response process and generate more precise reports on the organization's security position/past.
Security Event Correlation (SEC)
Software is used to process and search massive quantities of event logs and discover correlations and connections between events that could indicate a security issue.
LMS vs. SIEM
LMS tools are more focused on:
Log Data Collection, efficient Retention of Data, log indexing, search functions, and reporting.
SIEM tools are more focused on:
Threat detection alerts, event correlation, and dashboarding (real-time monitoring with custom events visibility).
The evolution of traditional LMS, designed mainly for system administration support, made them functionally much closer to SIEM tools developed from scratch as security tools.
SIEM Event Correlation (examples)
Brute force detection
Excessive 404 errors (HTTP server Log) from a non-authenticated client (DB Log).
Excessive login failures (services or DB Logs) at one or multiple services.
From a specific IP address (or set of IP addresses).
From “strange” geographic regions or AS.
Non-matching credentials.
From internal machines with non-matching user credentials (RADIUS/LDAP Logs).
Impossible travel
Multiple logins from the same user from different devices/locations.
Consecutive logins from the same user from distant geographic regions within a small time window. VPN usage may trigger such an alarm.
Anomalous data transference
Excessive data transference is not compatible with past observations.
Absolute time of the day, relative time behavior, unknown end device, etc...
DDoS attack
Excessive connection attempts from “never seen” devices/addresses/regions.
Ideal detection in the early phase of the attack.
Files/Configurations integrity fails
Specific device/service configuration file checksum failure, non-justifiable by observed actions.
Generic file checksum failure, non-justifiable by observed actions.
Last updated