SIEM: Security Info and Event Management Dos and Don'ts
Advice from the front lines on choosing and using a Security Information and Event Management (SIEM) product
By Mary Brandel
December 02, 2009 — CSO —
Security information and event management (SIEM) technology performs two main functions, according to Gartner:
1. Security event management (SEM): Analyzes log and event data in real time to provide threat monitoring, event correlation and incident response. Data can be collected from security and network devices, systems and applications.
2. Security information management (SIM): Collects, analyzes and reports on log data (primarily from host systems and applications, but also from network and security devices) to support regulatory compliance initiatives, internal threat management and security policy compliance management.
SIEM: A Growing Market
Worldwide revenue for SIEM was $663.3 million in 2008 and is expected to grow to $1.4 billion in 2013, which is a compound annual growth rate of 16 percent, according to IDC. Meanwhile, Gartner estimates that SIEM was a $1 billion market in 2008, with growth of 30 percent that year.
Historically, event management—or SEM—has driven this market, but today's growth is mainly related to regulatory compliance, with secondary requirements for effective threat monitoring, according to Kelly Kavanaugh, an analyst at Gartner. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires log management, and the Sarbanes-Oxley Act requires privileged user reporting, he says.
Traditional SEM vendors have responded by orienting products previously geared toward real-time event alerting and management toward log management functionality. For instance, ArcSight added its Logger appliance and additional deployment options to address compliance. Meanwhile, SIM players such as SenSage and LogLogic are adding real-time capabilities.
Jon Oltsik, an analyst at Enterprise Strategy Group, sees the market differently. The main driver, he says, is the need to keep up with security complexity. "There is an acute awareness that security attacks are more sophisticated and that security at a system level is harder than at the device level," he says. Compliance is the second most important factor, he says, and the third is the need to replace early SIEM platforms that don't scale or provide the right level of analytics and reporting capabilities.
Forrester expects consolidation among the 20-plus SIEM vendors in the next 12 to 36 months, as well as more cloud-based SIEM services.
Core Capabilities of SIEM
According to Gartner, five critical capabilities differentiate SIEM products, whether you use them for SEM, SIM or both.
Log management. This includes functions that support the cost-effective collection, indexing, storage and analysis of a large amount of information, including log and event data, as well as the ability to search and report on it. Reporting capabilities should include predefined reports, ad hoc reports and the use of third-party reporting tools.