Security Information and Event Management (SIEM) Software Overview
What is Security Information and Event Management Software?
Security Information and Event Management (SIEM) Software is a category of security software concerned with collating log and event data. A SIEM allows security analysts to look at a more comprehensive view of security logs and events that would be possible by looking at the log files of individual, point security tools. SIEM tools allow security analysts to gather and analyze logs and events from operating systems, applications, servers, network and security devices, intrusion management systems, etc.
SIEM is a management layer sitting on top of existing systems and security controls that unifies data from these disparate systems and allows them to be analyzed and cross-referenced from a single user interface.
SIEM Features & Capabilities
Centralized event and log data collation
Log data correlation
Event and log normalization
Deployment flexibility
Integration with identity and access management tools
Custom dashboards and views
Host and network-based intrusion detection
Type of Data Collected
The data that is collected and correlated are generally log files. Log management products were created many years ago to collect the large volumes of logs created by the various systems in a large enterprise data center. A large data center can produce terabytes of plain text log files. The volumes are such that it is extremely difficult to consume the data.
SIEM systems are designed to correlate a subset of the most important data, to highlight the most critical data. Unfortunately, the myriad operating systems and applications and servers all produce log files in a slightly different human-readable format, and these have to be normalized in machine-readable format that the SIEM can understand and parse.
One of the most difficult aspects of deriving value from a SIEM is the difficulty of tuning the system by balancing correlation rules that catch all possible attacks and do not produce too many false positives which can be very difficult to manage.
Pricing Information
Pricing for SIEM software can vary widely from about $5k to over $100k, depending largely on the quantity of events and logs being monitored. In addition to software expense, the total cost of ownership will include maintenance, professional services, hardware, personnel, and training.
