Exploring the applicability of SIEM technology in IT security
MetadataShow full metadata
The changing Information Security (IS) landscape and increased legal, regulatory and audit compliance requirements have driven organisations to collect, maintain, securely store and regularly analyse application, system and network event logs. For some organisations, collecting and storing event logs is primarily to satisfy national or industry specific compliance requirements and secondarily for event based information security monitoring. For other organisations, the collection, storage and analysis of event logs is to add an additional dimension to the increasingly multidimensional approach to information security. Monitoring the security of networks through the collection, filtering, aggregation, normalisation, correlation and analysis of archived or real-time event logs has indeed increasingly become one of the core activities in the day to day operations of information security professionals. While event logs have in the past been primarily used for monitoring the health and operational status of networks, from purely a system and network administration perspective, they are today considered a critical source of deriving important information on the overall security status of applications, systems, networks, data and information. From a security perspective these event logs are mined or analysed to identify potential or real security threats, breaches, anomalies or any other suspicious behaviour. Beyond their storage, the presentation of event messages has also become important in order to enable timely response to any anomalies within the network, improve decision making and assist in the restoration of a network to normal operation after security breach. Security Information and Event Management (SIEM) technology have in the recent decade seen an increase in adoption by organisations responding to a rapidly evolving information security landscape spurred by the complexity of information security threats currently being observed. Threats that today are in some instances appropriately name Advanced Persistent Threats (APTs). The need to equip information security professionals with a level of ease in proactively identifying security threats or reactively in forensic analysis post a security breach also stand as some of the enablers for SIEM adoption. Regulatory compliance has perhaps been the most significant driver for the adoption of SIEM by organisations. SIEM capability includes collection, filtering, aggregation, normalisation and correlation of events messages, collected from a wide range of systems, network devices and applications. These capabilities represent a significant enhancement from the basic event log collection and storage of Log Management technologies from which SIEM was an outgrowth. Log management technologies have traditionally being lacking in similar capabilities to SIEM, and as mentioned mostly capable of basic collection and storage of event logs. This research investigated the applicability of SIEM technology within the context of IT Security, essentially researching into the role and significance thereof if any that SIEM might have in IT security. Specifically the research sought to answer the questions of whether SIEM technology enhanced the ability to monitor and respond to application, system and network security events as in an environment comprising a high volume of security, network and device system logs.