This Article Written by Trainee Ahmad AlGhamdi From Imam Mohamad bin Saud University #IMU
SIM (Security Information Management) and SEM (Security Events Management) in one system in which security events and alerts are collected from the various devices, systems and technologies present in the organization's network infrastructure
SIEM consists of two major systems
(1) Security Information Management System that works to collect security data from various network infrastructure systems and store it with a unified central database through which to analyze this data and prepare its own reports
(2) Security Event Management System, which works to analyze and monitor information and link events from different systems to the network and follow-up security events in order to take defensive measures and protect network systems
It is the stage in which all security events and alerts are collected from all devices, systems, technologies, and services available in the entity’s infrastructure automatically. This is done by installing some special engines that collect these things and send them to SIEM to be stored in its own database.
It is the stage in which security events and alerts are categorized and the source of these events is determined either from the database or from web servers or other services, technologies and systems within the infrastructure.
It is the stage in which the responsible person or security team in the agency establishes special rules that are implemented when a specific security event or alert occurs. For example, if there was a specific security event to bypass wrong entry attempts on a specific device or service within the network for the number of times allowed, the security team will specify a specific action that will be taken, such as sending an email describing the matter in detail.
It is the stage that the SIEM undertakes to link the security events that have been gathered from various matters within the infrastructure with each other and determine the relationships between them in order to determine the mechanism by which the attack or attempted to penetrate or the process of penetration if it happened to save time on the security team at the entity.
It is the stage in which the security team in the company or entity is provided with a comprehensive report on all the security incidents that occurred within the network and the infrastructure, while providing them with recommendations and proposed measures to implement them in addition to many other matters and details.
Examples of the most popular existing SIEM systems