SIEM (Security Information and Event Management) is a system for collecting information about IT infrastructure for monitoring and subsequent analysis by information security specialists or system administrators. SIEM was formed as a result of merging of two separate areas: Security Information Management and Security Event Management.
Most often SIEM is implemented as software, the components of which are integrated into the IT infrastructure. SIEM software modules can be roughly divided into two categories. The first category includes monitoring agents that collect readings in the system, while the second one includes the server part that registers events and processes information about incidents.
The sources of information for SIEM are the following:
- Event logs of operating system and installed applications
- Network hardware
- Firewalls
- Vulnerability scanners
- CRM systems
- Personal computers and mobile devices of users
- Antivirus applications
- Any other means of collecting and transmitting necessary information
SIEM software solutions are usually a flexible tool with a large number of customizations and extensive configuration options. Most popular SIEM solutions on the European market:
- Splunk Enterprise Security
- IBM QRadar Security Intelligence
- McAfee Enterprise Security Manager
- LogRhythm SIEM
- SolarWinds Security Event Manager (SEM)
- Microsoft Azure Sentinel
Main purpose of SIEM is to collect and analyze incoming information, but the software itself is not a means of protecting the IT infrastructure from threats. The collected analytics are used to identify incidents and subsequently optimize protection tools and means.