What Is Security Information and Event Management (SIEM)? -目的及福利


约翰Parlee 发布日期:2023年8月1日

安全信息和事件管理(SIEM)是安全团队用来识别威胁和异常活动的一套工具. They are versatile tools that can be used for other purposes, 然而, 主要用户往往是负责日常监控的安全团队, 威胁狩猎, 和分析. SIEM has been around for a long time, 这些工具已经得到了显著的发展,以满足现代安全团队的需求.


SIEM stands for Security Information and Event Management, which is a set of tools and services that look at event data and information, 并有助于相互关联, 优先考虑, present it to an analyst. SIEM gives security operations teams the capability to detect, 分析, respond to security threats. The tool collects data from various sources, 然后汇总并构建这些数据——这有助于安全团队分析这些数据. 这些数据提供了对包括网络在内的庞大数据集正在发生的事情的理解, 应用程序, 十大赌博正规老平台器, 端点, other sources and 然后 creates corresponding 警报.

SIEM可以管理分析人员无法手动处理的大量数据. 分析师可以查看时间点事件,然后根据需要转向更大或更小的数据集.

It’s true that organizations require a security team to respond to these threats, 但SIEM有助于在威胁影响组织之前识别和解决这些威胁.


When selecting a SIEM vendor, here are a few things to consider:

1. 偏好/曝光

Many security teams find a solution they like, 他们投入时间和金钱来学习和操作这项技术. 例如, some vendors have their own conferences, 查询语言, 体系结构集, 学习/职业道路. A security specialist may start as an analyst, 然后, as they move into a more senior role, 他们可以获得管理SIEM体系结构所需的经验和知识, 组件, 和能力.

学习特定的SIEM查询语言与学习编程或数据库语言非常相似. Many SIEM vendors have their own version of this language, 还有搜索, 警报, queries that are developed become an integrated part of the SIEM. It is an investment to learn a particular language. While some skills are transferable, keep in mind that when a team becomes familiar with one SIEM 查询语言, it can make transitioning to another a challenge.

2. 能力

SIEM已经从一个可以提供警报和分析的消费平台发展成为一个可以进行编排的强大平台, 自动化, 和响应. 它为分析人员提供了自动化一些最耗时的工作的能力, 例如提供决策所需的即时数据丰富和上下文.

In a setting where time is critical, SIEM可以提供即时响应功能,可以阻止威胁并阻止攻击者的活动. 例如, SIEM集成可以在防火墙上自动采取行动,阻止显示恶意活动的IP地址. 使用这些功能,SIEM可以比“人在循环”快得多. 然而, this 自动化 presents a risk that legitimate, or incorrectly classified activity could also be blocked. 话虽如此, capabilities should be reviewed by the security team, 因为他们认为随着时间的推移,SIEM将在操作和优化中带来价值.

与其他工具集成的能力对于支持自动化也很重要. 安全团队应该考虑他们拥有哪些工具,以及他们对开发哪些用例感兴趣.

3. 成本

成本 is a significant aspect to consider when investing in a SIEM suite. Once the initial investment is made, an organization is on a significant journey. They are buying into the architecture 和能力 of the SIEM. 看到职位描述要求特定SIEM的特定技能并不罕见.

考虑到随着时间的推移,数据管理是成本的很大一部分. 计划将要摄取的数据量以及如何管理它以满足组织保留目标是很重要的. 许多siem都有一个基于每天摄取的数据量的定价模型, how much data is retained over time. The more information your SIEM ingests, the more it can cost your organization. It is also important to consider how and where the data is stored. If you are using a cloud based SIEM, you could incur some additional costs versus managing your own storage.


SIEM has changed significantly over time, originally meeting compliance obligations for log storage, 然后 evolving to enhanced searching, 报警, 和分析. Over time, the capabilities of SIEM have been greatly enhanced. 这导致了包括编排、自动化和响应(SOAR)在内的功能。. SOAR帮助安全团队使用内部和外部数据源丰富他们的事件, automate the review of 警报, respond by taking actions in integrated solutions.

The challenge has now become how to implement 自动化 和响应, while consistently achieving the expected results without a human-in-the-loop. The human analyst develops important context with time and exposure; it’s important to consider the impact of 自动化 where an analyst is not exposed to the information from an event to build context and awareness for a potentially related event.

The Next SIEM的演变: AI

The use of AI and large language models seem to be a natural fit for SIEM. 在适当的环境下,人工智能可以促进安全分析师或检测工程师的工作. By simply specifying what the analyst or engineer needs 人工智能 to do, 人工智能可以生成格式良好并有文档记录的复杂查询——这些任务通常需要人类投入额外的时间和精力.

AI will be useful in training. It could provide guided learning models for analysts, structured playbooks for security teams to follow. Tasks that may be better suited to experienced practitioners, 例如,在初级操作员的监控下,制导威胁搜索和事件响应通常可以实现自动化. And after identifying a threat, 分析人员可以询问所有现有的攻击路径,以帮助确定修复工作的优先级.

AI could also facilitate data management. Where some data sets may not have common field names, AI could facilitate searches that are table agnostic, 进一步简化了安全团队必须执行的一些常见任务,以便能够完全查询其数据集并接收完整的信息.

此外, 安全负责人将能够利用这些相同的技术来审查SIEM的性能, 人工智能, 还有安保团队. 事件发生后, 人工智能 could review the activities, the weaknesses in the environment, 以及安全配置,以根据最佳实践提供关于如何在将来防止该活动的建议列表. 事件 could be 分析d retroactively to review false positives, 利用现有数据和先前的活动重新分析新出现的事件,可以识别以前未发现的潜在威胁.

Infrastructure Management Is Hard – Make It Easier!

Wherever you are in your Infrastructure Management journey, it’s critical to focus on fundamental security practices, 维护对网络或云中的内容的高可见性和管理. Managing your entire IT infrastructure is already an extremely complex task, 今天’s business climate only adds additional hurdles, like economic uncertainties, 网络安全威胁, 劳动的挑战, the general expectation to do more with less. IT infrastructure management services 来自Park Place Technologies的软件可以帮助您的IT团队在面对当前业务挑战时承担越来越多的责任.

侨福托管十大赌博正规老平台™是一套全面的托管IT基础设施解决方案,可帮助您有序地管理组织的关键基础设施,同时最大限度地减少混乱并加速业务转型. Learn more about this combination of 存储管理, 十大赌博正规老平台器管理, network management services 今天!


约翰Parlee, Chief Information Security Officer