Security Information and Event Management System
Security information and event management (SIEM) combines security information management (SIM) and security event management (SEM) functions into one security management system. SIEM collects relevant data about an enterprise’s security posture in multiple locations and analyzes all the data from a single point of view, providing the capability to spot trends and patterns that may be the result of malicious activity.
The SIEM system complements intrusion detection and prevention systems (IDPS) by correlating events logged by different technologies, displaying data from many event sources, and providing supporting information from other sources to help administrators verify the accuracy of alerts. SIEM data is usually recorded locally and sent to separate systems, such as centralized logging servers and the master SIEM system.
Advanced SIEM systems correlate event, threat, and risk information to detect attacks, possibly in realtime, and support forensic investigations and produce compliance reports as a result of activity monitoring.
Figure 1 – An example of a SIEM architecture.
Figure 1 shows a SIEM architecture providing for log collection, analysis and forensics, event correlation, and IT compliance evidence for auditing and monitoring. Local SEM sensors located within the organization’s networks collect and forward events to a master SIEM.