SIEM: A rose by any other name
SLM/LMS,
SIM, SEM, SEC, SIEM
Following is
an extract from the AlienVault whitepaper “SIEM-for-Beginners”
Although the
industry has settled on the term ‘SIEM’ as the catch-all term for this type of
security software, it evolved from several different (but complementary) technologies that came before it.
• LMS
“Log Management System” – a system that collects and stores log files (from
operating systems, applications, etc) from
multiple hosts and systems into a single location, allowing centralized access
to logs instead of accessing them from
each system individually.
• SLM
/SEM “security Log/Event Management” – an LMs, but marketed towards
security analysts instead of system
administrators. SEM is about highlighting log entries as more
significant to security than others.
• SIM
“security information Management” – an asset Management system, but with
features to incorporate security information
too. Hosts may have vulnerability reports listed in their summaries,
intrusion detection and antivirus alerts may be shown mapped to the systems involved.
• SEC
“security Event Correlation” – To a particular piece of software, three
failed login attempts to the same user account from three different clients, are just
three lines in their logfile. To an analyst, that is a peculiar sequence of
events worthy of investigation, and Log
Correlation (looking for patterns in log files) is a way to raise alerts when
these things happen.
• SIEM
“security information and Event Management” – SIEM is the “all of the
above” option, and as the above technologies
become merged into single products, became the generalized term for
managing information generated from security controls and infrastructure.