词条 | Security event manager |
释义 |
A security event management (SEM), and the related SIM and SIEM, are computer security disciplines that use data inspection tools to centralize the storage and interpretation of logs or events generated by other software running on a network.[1][2][3] OverviewThe acronyms SEM, SIM and SIEM have sometimes been used interchangeably,[4] but generally refer to the different primary focus of products:
In practice many products in this area will have a mix of these functions, so there will often be some overlap – and many commercial vendors also promote their own terminology.{{citation needed|date=January 2016}} Event logsMany systems and applications which run on a computer network generate events which are kept in event logs. These logs are essentially lists of activities that occurred, with records of new events being appended to the end of the logs as they occur. Protocols, such as syslog and SNMP, can be used to transport these events, as they occur, to logging software that is not on the same host on which the events are generated. The better SEMs provide a flexible array of supported communication protocols to allow for the broadest range of event collection. It is beneficial to send all events to a centralized SEM system for the following reasons:
Security analysisAlthough centralised logging has existed for long time, SEMs are a relatively new idea, pioneered in 1999 by a small company called E-Security,[8] and are still evolving rapidly. The key feature of a Security Event Management tool is the ability to analyse the collected logs to highlight events or behaviors of interest, for example an Administrator or Super User logon, outside of normal business hours. This may include attaching contextual information, such as host information (value, owner, location, etc.), identity information (user info related to accounts referenced in the event like first/last name, workforce ID, manager's name, etc.), and so forth. This contextual information can be leveraged to provide better correlation and reporting capabilities and is often referred to as Meta-data. Products may also integrate with external remediation, ticketing, and workflow tools to assist with the process of incident resolution. The better SEMs will provide a flexible, extensible set of integration capabilities to ensure that the SEM will work with most customer environments. Regulatory requirements{{section stub|date=May 2018}}SEMs are often sold to help satisfy U.S. regulatory requirements such as those of Sarbanes-Oxley, PCI-DSS, GLBA.{{citation needed|date=January 2016}} StandardizationOne of the major problems in the SEM space is the difficulty in consistently analyzing event data. Every vendor, and indeed in many cases different products by one vendor, uses a different proprietary event data format and delivery method. Even in cases where a "standard" is used for some part of the chain, like Syslog, the standards don't typically contain enough guidance to assist developers in how to generate events, administrators in how to gather them correctly and reliably, and consumers to analyze them effectively. As an attempt to combat this problem, a couple parallel standardization efforts are underway. First, The Open Group is updating their circa 1997 XDAS standard, which never made it past draft status. This new effort, dubbed XDAS v2, will attempt to formalize an event format including which data should be included in events and how it should be expressed. The XDAS v2 standard will not include event delivery standards but other standards in development by DMTF may provide a wrapper. In addition, MITRE is also in the midst of a standardization effort called CEE that is somewhat broader in scope – it attempts to define an event structure as well as delivery methods. See also
References1. ^{{cite web |url=http://www.securityinformationeventmanagement.com/security-event-management.php |title=Archived copy |accessdate=2013-07-17 |deadurl=yes |archiveurl=https://web.archive.org/web/20141019131638/http://securityinformationeventmanagement.com/security-event-management.php |archivedate=2014-10-19 |df= }} SIEM 2. ^Preparing for Security Event Management 3. ^A Practical Application of SIM/SEM/SIEM Automating Threat Identification 4. ^{{cite web|last=Swift|first=David|title=A Practical Application of SIM/SEM/SIEM, Automating Threat Identification|url=http://www.sans.org/reading-room/whitepapers/logging/practical-application-sim-sem-siem-automating-threat-identification-1781|work=SANS Institute|accessdate=14 May 2014|page=3|format=PDF|date=26 December 2006|quote=...the acronym SIEM will be used generically to refer...}} 5. ^http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf 6. ^{{cite web|url=http://www.drdobbs.com/197002909 |title=SIEM: A Market Snapshot |date=5 February 2007 |publisher=Dr.Dobb's Journal}} 7. ^The Future of SIEM - The market will begin to diverge 8. ^"Novell buys e-Security", 2006, ZDNet External links
2 : Computer security|Computer security software |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。