Académique Documents
Professionnel Documents
Culture Documents
Introducing SIEM
Security Information & Event Management (SIEM) is an approach to security
management that seeks to provide a holistic view of an organizations information
technology (IT) security.
SIEM combines SIM (security information management) and SEM (security event
management) functions into one security management system.
Why SIEM?
Security Requirement:
Security Information & Event Management (SIEM) is the core of a
Defense in depth Strategy
Every Attacker leaves behind a trace Logs, Logs, Logs!!!
Security Events provide insight into:
When the Event happened? Attack timestamp
What happened? Was a Vuln exploited? Was a privilege misused?
Why it happened? Assists Infrastructure gap identification & remediation
Compliance Requirement:
Policy, Standards, Regulations etc. require Security monitoring, alerting,
reporting & management. PCI, SOX, HIPAA, TRMG, ISO27K1 etc.
Yes, you can detect the Attacks, if you have a SIEM solution
HP ArcSight
The ArcSight Enterprise Threat and Risk Management (ETRM) Platform is an integrated set of
products for collecting, analysing, and managing enterprise Security Event information.
ArcSight Enterprise Security Manager (ESM): Correlation and analysis engine used to
identify security threat in real-time
ArcSight Logger: Log storage and Search solution
ArcSight IdentityView: User Identity tracking/User activity monitoring
ArcSight Connectors: for data collection from a variety of data sources
ArcSight Auditor Applications: automated continuous controls monitoring for both mobile
& virtual environments
Strengths
Weakness
IBM QRadar
The QRadar Integrated Security Solutions (QRadar) Platform is an integrated set of products for
collecting, analysing, and managing enterprise Security Event information.
QRadar Log Manager turn key log management solution for Event log collection & storage
QRadar SIEM Integrated Log, Threat & Risk Management solution
QRadar Risk Manager Predictive threat & risk modelling, impact analysis & simulation
QRadar QFlow Network Behaviour Analysis & Anomaly detection using network flow data
QRadar vFlow Application Layer monitoring for both Physical & Virtual environment
Strengths
Weakness
McAfee Nitro
The McAfee Enterprise Security Management (formerly Nitro Security) Platform is an integrated
set of products for collecting, analysing, and managing enterprise Security Event information.
McAfee Enterprise Log Manager turn key log management solution for Event log
collection & storage
McAfee Event Receiver collecting log data & native flow data
McAfee Database Event Monitor database transaction & Log monitoring
McAfee Application data Monitor application layer event monitoring
McAfee Advanced Correlation Engine advanced correlation engine for correlating events
both historical & real time
Strengths
Weakness
Integrated Application Data monitoring & Deep Packet Very basic correlation capabilities when compared
Inspection
with HP & IBM
Integrated Database monitoring without dependence
on native audit functions
Comparison Overview
In Essence, the decision to choose a SIEM product depends on the following key
factors: