SIEM: A rose by any other name
SLM/LMS, SIM, SEM, SEC, SIEM
Following is an extract from the AlienVault whitepaper “SIEM-for-Beginners”
Although the industry has settled on the term ‘SIEM’ as the catch-all term for this type of security software, it evolved from several different (but complementary) technologies that came before it.
• LMS “Log Management System” – a system that collects and stores log files (from operating systems, applications, etc) from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from each system individually.
• SLM /SEM “security Log/Event Management” – an LMs, but marketed towards security analysts instead of system administrators. SEM is about highlighting log entries as more significant to security than others.
• SIM “security information Management” – an asset Management system, but with features to incorporate security information too. Hosts may have vulnerability reports listed in their summaries, intrusion detection and antivirus alerts may be shown mapped to the systems involved.
• SEC “security Event Correlation” – To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a peculiar sequence of events worthy of investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen.
• SIEM “security information and Event Management” – SIEM is the “all of the above” option, and as the above technologies become merged into single products, became the generalized term for managing information generated from security controls and infrastructure.