Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Library:The Essential Features and Capabilities of a SIEM Technology

From Aanval Wiki
Jump to: navigation, search

Back to Library Main

The Essential Features and Capabilities of a SIEM Technology


Solutions for Security Information and Event Management (SIEM) are becoming a necessary part of an organization's security infrastructure, playing an important role in early threat detection, incident response, forensic analysis, and improving overall security infrastructure. The SIEM market is being driven by IT projects to resolve security issues and to improve security monitoring and incident response. SIEM technology overall is valuable for getting a bird’s-eye view of security in the enterprise at any given moment. For an overview of SIEM, SEM, SIM, please view SIEM, SEM, SIM Overview: Introduction on Why SIEM is More Important than Ever.

According to Gartner, a set of common core capabilities provides a foundation for SIEM products and specifically supports threat management or auditing use cases. Gartner reports that there are five essential capabilities provided by SIEM technologies. To evaluate a SIEM product, the product must cover the core SIEM functions. Many organizations will apply the technologies broadly across their IT infrastructures and will implement most of the core capabilities, but they typically start with a narrow deployment that implements a subset of functions to resolve a specific auditing gap or security issue.

Core Capabilities of SIEM Technology

Below are Gartner’s five most common core capabilities of SIEM technology.

  1. Event and Data Collectors: SIEM products collect network traffic event data via receipt of a syslog data stream from the monitored event source.
  2. Correlation: This establishes relationships among messages or events that are generated by devices, systems, or applications, based on characteristics such as the source, target, protocol, or event type. Correlation is important for threat management (to track and analyze the progression of an attack across components and systems) and for user activity monitoring (to track and analyze the activity of a user across applications, or to track and analyze a series of related transactions or data access events).
  3. Event Normalization and Taxonomy: This is a mapping of information from heterogeneous sources to a common classification. A taxonomy aids in pattern recognition and also improves the scope and stability of correlation rules. When events from heterogeneous sources are normalized they can be analyzed by a smaller number of correlation rules, which reduces deployment and support labor. In addition, normalized events are easier to work with when developing reports and dashboards
  4. Scalable Architecture and Deployment Flexibility: These are derived from vendor design decisions in the areas of product architecture, data collection techniques, agent designs, and coding practices. During the planning phase, many organizations underestimate the volume of event data that will be collected, as well as the scope of analysis reporting that will be required. An architecture that supports scalability and deployment flexibility will enable an organization to adapt its deployment in the face of unexpected event volume and analysis.
  5. Deployment and Support Simplicity: For smaller security staffs and more limited system support capabilities, predefined functions and ease of deployment and support simplicity are valued over advanced functionality and extensive customization. This calls for an architecture that supports scalability and deployment flexibility. Embedded knowledge is delivered with predefined dashboard views, reports for specific monitoring tasks and audit requirements, a library of correlation rules for common monitoring scenarios, and event filters for common sources. There should also be an easy way to modify the predefined functions to meet the particular needs of an organization.

Audit Reporting Capabilities

Below are Gartner’s four capabilities to address security-related audit reporting.

  1. Log Management: Functions supporting the cost-effective storage and analysis of a large information store include collection, indexing and storage of all log and event data from every source, as well as the capability to search and report on that data. Reporting capabilities should include predefined reports, as well as the ability to customize reports.
  2. User Monitoring: This capability defines user access and resource access policies, and discovers and reports on exceptions. It enables an organization to move from activity monitoring to exception analysis. This capability is important for audit reporting and internal threat management, fraud detection, and breach discovery.
  3. Application Monitoring: Integration with packaged applications, an interface that allows customers to define log formats of unsupported event sources, and the inclusion of user context are important capabilities that enable the monitoring of application activities for fraud detection and audit reporting.
  4. Audit Reporting: Audit-oriented deployments are simplified when the SIEM product provides customizable predefined reports.

Improve Internal and External Threat Management

Below are Gartner’s four capabilities to improve both internal and external threat management.

  1. Real-time Data Collection: Collect event data in near real time in a way that enables immediate analysis. Security experts emphasize the importance of events being captured in real-time as it will affect early detection of security incidents and threat management.
  2. Security Event Console: Real-time presentation of security incidents and events.
  3. Real-time Event Correlation and Analysis: Monitoring, alerting, and notification regarding threats and other security events in real time.
  4. Incident Management Support: Specialized incident management and workflow support should be embedded in the SIEM product primarily to support the IT security organization. Products should provide integration with enterprise workflow systems and support ad hoc queries for incident investigation.


Today's SIEM should be a powerhouse of real-time data capture, event correlation analysis, and reporting. SIEM technology helps organizations improve network monitoring, threat response, and incident management, as well as satisfy audit requirements. According to Gartner, product selection decisions should be driven by an organization’s specific requirements in areas such as the relative importance of each SIEM capabilities, the ease and speed of deployment, investment costs, the IT organization’s support capabilities, and integration with system and application infrastructures.

For information on how Aanval can help your organization, please contact 800-921-2584 or email sales.group [at] tacticalflex.com. For more information on Tactical FLEX, Inc., please visit http://www.aanval.com.

About Tactical FLEX, Inc.

For nearly a decade, Tactical FLEX, Inc. has taken great pride in providing best-of-breed security solutions to every type of organization around the world. Our wide spectrum of customers demonstrates our sincere commitment to an industry that remains at the forefront of the digital evolution of the world. Information security is our business, and our customers are our greatest asset. Tactical FLEX, Inc. is a trusted security vendor protecting more than 6,000 organizations within every industry in more than 100 countries. Our product Aanval® is the industry's most comprehensive end-to-end Snort and syslog intrusion detection, correlation, and threat management solution, built with a unique Situational Awareness engine, distinct false-positive protection technology, and a fully-integrated event management and attack data correlation engine. Learn more about Aanval SAS™ by visiting http://www.aanval.com

We invite you to visit our Industry Focus page at http://www.aanval.com/industry to find out how our products and services can aid securing your valuable assets and information. The Industry Focus website section was created to provide information security professionals a more expansive perspective on the security needs and challenges facing their industries. Every organization, regardless of specific industry, is facing similar and ever-increasing network and inter-network related security threats. Our products and services are designed not only for the important facets of the industries shown below, but for every organization with a network or internet connection.

Aanval® is also available for download as a free Community edition for testing and evaluation at http://www.aanval.com/download. Let Aanval SAS™ turn your security event data into actionable and comprehensive insights.