In English

An Analysis of Security Information and Event Management Systems - The Use or SIEMs for Log Collection, Management and Analysis

Henrik Karlzén
Göteborg : Chalmers tekniska högskola, 2009. 45 s.
[Examensarbete på avancerad nivå]

In today's computer network environments huge amounts of security log data are produced. To handle this data and provide an increased level of information security and centralised log management and analysis Security Information and Event Management Systems (or SIEMs) can be used. SIEMs can help organisations that struggle with the various compliance regulations that exist and reduce the risk of intrusions into the network. SIEMs collect and aggregate log data from various devices and applications through software called agents, filter uninteresting data and normalise to a proprietary format, analyse through correlation using contextual information and alert administrators in case of attack. Log data is stored using special security mechanisms in so called write-once-read-many media for compliance reasons. In this paper special attention is also given to security at the log source. An overview of the market is detailed as are suggestions on how to organise the environment around the SIEM and what log data that is worthy of analysis. It is forecasted that compliance will continue to be the most important motivator for procuring SIEMs. The usability and scalability is anticipated to increase as the market continues to grow rapidly and standardisation will become a key factor. More focus will be on incorporating contextual information into the analysis process, especially for identity and access management. Supported types of log sources will increase in number and policy oriented automated response capabilities will be developed.

Nyckelord: Security Information and Event Management, Security Information Management, Security Event Management, SIEM, SIM, SEM, logs, log collection, e-discovery, forensics, user monitoring, identity management, policy monitoring, incident management, real-time response, security



Publikationen registrerades 2009-02-04. Den ändrades senast 2013-04-04

CPL ID: 89572

Detta är en tjänst från Chalmers bibliotek