Blog

August 21, 2018

The Difference between Security Incident and Event Management (SIEM) and Log Management

We live in times where the single most important aspect that can make or break the future of any business is information security. While companies can recover from a poor sales quarter, a manufacturing defect, or a massive product recall, losing critical business or financial information can have devastating effects on their very existence. Naturally, as CIOs or business owners, you are always on the lookout for technological advancements that can help you to identify threats and protect your company from potential hacks and cyber threats.

However, the issue is that hackers and fraudsters are also continually evolving their methods, finding loopholes in every new digital security platform, and masking their attacks with greater sophistication than ever before. That means, more often than not, you may end up detecting a breach by looking at the system logs, only after the event has occurred.

Logs and Log Management

Potentially, every computing device can produce detailed logs (records) that show the varied functions it performs. It can also provide line item details of every attempted user activity, including a simple action such as a log in. While the logs by themselves do not offer any value other than record retention, you can analyze them for a variety of reasons, including audit management, regulatory compliance and network management. Moreover, reviewing and correlating these logs can help you troubleshoot numerous IT problems that could impact the security or continuity of your business.

Traditional Log Management (LM) systems collect, normalize and store log files from various systems and hosts in one centralized location. As a result, your IT security analysts do not need to familiarize themselves with multiple operating systems or applications. Instead, they can focus on the log analysis and identify weaknesses before a breach occurs.

Where Does SIEM Fit In? Why Is it Relevant?

Over the years, traditional LM systems have matured, and the newer variants offer several additional features:

  • Security Event Management (SEM): Is an LM system that offers capabilities to monitor events in real-time and correlate logs across multiple systems for security purpose.
  • Security Incident Management (SIM): Is primarily an Asset Management system that provides long-term storage, analysis, and reporting on logs and security incidents.
  • Security Event Correlation (SEC): Tracks and alerts the system administrators about anomalies based on a predetermined sequence of events. For example, three consecutive failed login attempts under the same user name through different hosts could be highlighted as soon as it occurs.

While each individual system may have robust capabilities, the problem is that each of these offers only a partial insight into the overall health of your IT security. For instance, your Endpoint Security system only sees the files, usernames and hosts while your network Intrusion Detection System (IDS) only highlights packets, protocols and IP addresses. Similarly, your Asset Management system cases only the applications, business process and the administrative contacts. This is where Security Incident and Event Management (SIEM) comes in. While it is similar to all the variants of Log Management systems, IT experts describe SIEM as “greater than the sum of its parts”. In addition to aggregation, analysis and reporting of logs from all your networks, operating systems and applications, SIEM has the capability to:

  • Verify identities and manage accesses
  • Create policy compliance
  • Manage vulnerabilities and get notifications on external threats
  • Customize reports and dashboards

Available as a product or software service, SIEM can help your company to secure information as well as manage security events. Since it combines several security technologies, SIEM is an ideal tool for a singular view and real-time analysis of all the logs produced by your company’s IT networks and applications. Remember, SIEM is not a security detection mechanism in itself, but it will definitely enhance the security technologies that you have already deployed.

Invest in Comprehensive Security Management

The volume of logs that your IT team must manage depends on the size of your company and the number of operating systems, applications, databases and networks that are being used. It is quite possible that larger businesses may be generating hundreds of gigabytes in logs per day.

If you are evaluating a comprehensive tool that helps in log management and enhances your security technologies, rely on GlassHouse Systems. We have over 25 years of experience in designing, implementing and managing various IT security solutions across industries in North America. From SIEM and Endpoint Protection, to Access and Identity Management or Data and Application Security, our technical experts will help you choose the products or services that are best aligned with your company’s interests.

Contact us to learn more about SIEM, or leave a comment below for more information on log management solutions.

For Canada and worldwide, contact our main Canadian offices:

  • +1 (416) 229-2950
  • +1 (416) 229-9096

By email: canada@ghsystems.com

For all US-based enquiries, please contact our main US offices at:

  • +1 (630) 724-8500
  • +1 (630) 724-8509

By email: us@ghsystems.com

TAGS: MSSP, Security, SIEM