The aim of security information and event management is to be able to react to threats as quickly and precisely as possible. IT managers therefore have a powerful tool that enables them to take action before it is too late. For this purpose, SIEM systems try to make attacks and attack trends visible in real time by collecting and evaluating customary messages, alarm notifications, and logfiles. Various devices, components, and applications of the company network serve as sources, such as the following:
- Firewalls (software and hardware)
- Switches
- Router
- Server (file server, FTP server, VPN server, proxy server, etc.)
- IDS and IPS
Software agents – autonomously working computer programs that are specially designed for the transfer of data – ensure that this wealth of data is collected and forwarded to a central SIEM station. In order to reduce the amount of data to be transferred, preprocessing of the information by the agents is included in many systems.
On the one hand, the information is stored and structured in the central SIEM station and, on the other, the different pieces of data are put into communication with each other and are analyzed on this basis. Typical bases for analysis and evaluation include concretely defined rule sets, AI, technologies – especially machine learning – and correlation models.