Out of curiosity I was going through what is SIEM , SIEM is Security Information and Event Management product by AT&T.
· Advantages with this product:
· Helpful in monitoring the network.
· Centralized location for all logs generated by infrastructure components and security controls.
· Trusted source for logs.
· Correlation of logs
The URL in references explains more about it.
There are other information and event management products like Log Management System, Security Information Management, Security Event Management, Security Event Correlation, etc.
What they claim is SIEM is a combined or merge of all the products.
When an attacker attacks the network, to not to reveal the footsteps of attacker, attacker capable enough to remove logs.
So the trusted source of logs plays a vital role. SIEM helps in this aspect.
Logs generated by each module or component or infrastructure or security control can be specific to it. These logs cannot be understood by other modules or component or infrastructure or security control. Take an example, networking products like intrusion detection or firewall or VPN products generate logs with IP addresses, packets, protocols etc. Storage systems generate logs related to accessing of files and users, etc. To understand if there is a threat , these logs should be correlated. SIEM seems to help in this aspect.
SIEM deployment:
Another important point is SIEM interprets the logs provided by other infrastructure and security controls. Logs generation of these products also play vital role, these logs are input to SIEM 😊. If there is no proper input, there cannot be proper output.
References:
