Security Event Management (SEM) « Information and Technology Security

Security Event Management (SEM)

July 24, 2008

Security Event Management (SEM) is about getting the essential visibility of business and technology operations required for Information Security to undertake its protective function and to provide an intelligence capability so it can be proactive in addressing business challenges.

SEM may be deployed in response to a lack of maturity in RBAC and IDM processes. Using SEM to help understand the business and technology environment may help develop the business case for RBAC and IDM. However SEM is best utilised when deployed alongside RBAC and IDM.

Definition

The process of collecting, analysing and reporting security events

Business Case

Security Efficiency
- Correlation and priorities reduce the time consumed by monitoring
- Ability to respond quickly by identifying (potential) incidents sooner
- Save development cost by removing audit logic from applications
Security Effectiveness
- Quality of reporting will increase the visibility of threats
- Greater capacity to respond to incidents with the full picture
- Concentrate development efforts on what counts for your business
Business Enablement
- Compliance to legislation (e.g. monitoring privileged users)
- Understand your environment to reduce risk and be more efficient

Process

Event Collection – Collect logs from networks, systems and applications
- Event types
  - Successful and failed attempts to logon and logoff
  - File and object access, creation, modification and deletion
  - User and role changes
  - Changes to security policy
  - Changes to system configuration
  - System administrator (privileged) commands
- Event detail
  - Date and time of the event
  - Relevant user(s) or process
  - Event description
  - Modifications to the date (i.e. before and after a change)
  - Success or failure of the event
  - Source of the event (e.g. application name)
  - Any further available identifying information (e.g. location)
- Considerations
  - Time synchronisation between devices
  - Processing throughput at collection, analysis and reporting
  - Protection the repository of events and reporting
  - Use of an open log format to enable collection
Event Correlation – Events in the central store and correlated and prioritised
- Statistical based analysis to detect anomolous network behaviour
- Rule based analysis to detect deviations from security policy
Event Alerting & Reporting – Customised intelligence reports
- Event driven alerting to notify Computer Incident Response Team
- Reporting for security management to improve security processes
- Dashboards for reporting to management and demonstrating value

Diagram

Security Information and Event Management

More Info

RSA EnVision (Event Management Solution) http://www.rsa.com/node.aspx?id=3170
ArcSight (Event Mangement Solution) http://www.arcsight.com/
LogLogic (Log Management Solution) http://www.loglogic.com/
Cisco MARS (Network Events Solution) http://www.cisco.com/en/US/products/ps6241/index.html
Guardium (Database Events Solutions) http://www.guardium.com/

1 Comment »

One Response to “Security Event Management (SEM)”

Top 10 Blog Posts « Information and Technology Security Says:

May 20, 2009 at 11:49 pm
[...] Security Event Management (SEM) [...]

Reply

Information and Technology Security