SIEM: A rose by any other name


SLM/LMS, SIM, SEM, SEC, SIEM

Following is an extract from the AlienVault whitepaper “SIEM-for-Beginners

Although the industry has settled on the term ‘SIEM’ as the catch-all term for this type of security software, it evolved from several different (but complementary)   technologies that came before it.

    LMS “Log Management System” – a system that collects and stores log files (from operating systems, applications, etc)    from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from   each system individually.

    SLM /SEM “security Log/Event Management” – an LMs, but marketed towards security analysts instead of system    administrators. SEM is about highlighting log entries as more significant to security than others.

    SIM “security information Management” – an asset Management system, but with features to incorporate security information   too. Hosts may have vulnerability reports listed in their summaries, intrusion detection and antivirus alerts may be shown    mapped to the systems involved.

    SEC “security Event Correlation” – To a particular piece of software, three failed login attempts to the same user account    from three different clients, are just three lines in their logfile. To an analyst, that is a peculiar sequence of events worthy of   investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen.

    SIEM “security information and Event Management” – SIEM is the “all of the above” option, and as the above technologies    become merged into single products, became the generalized term for managing information generated from security controls   and infrastructure.

Comments