This document – while published – is still under internal review.
SIEM or Security information and event management, is as implied, a combination of logging and analysis. That logging can be as simple as updating a dashboard to something more sophisticated such as sending out an alert or executing additional processes. The Logging, Ability to Review and analytic modules are the basic bread and butter of what makes up a SIEM. Having a SIEM in place may solve a compliance requirement.
Modern SIEMs are going to offer a number of modules to assist in alerting for specialized events, performing common heuristic analysis to detect anomalies, more formerly called entity behavior analytics (UEBA).
The alerting part is what keeps Elkstack from being a SIEM. We can grant that it has great reporting, logging and indexing. You will commonly see Elkstack thrown in the list for popular SIEM tools. Elkstack is very useful. The day someone starts bolting analytics onto this well. then you will have a SIEM.
Indeed it is this Analysis and Alerting which is the crux. For Compliance Reasons NIST requires continuous monitoring and analysis to detect events.
- Asset discovery and inventory
- Vulnerability assessment
- Intrusion detection
- Behavioral monitoring
- SIEM event correlation
Common Commercial Solutions
- QRadar
- Splunk
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-137.pdfReference:
https://en.wikipedia.org/wiki/Security_information_and_event_management
https://en.wikipedia.org/wiki/Splunk
https://www.ibm.com/topics/siem
https://logz.io/blog/elk-siem/