The recent explosion of data produced by myriad security and other networked devices within enterprises has spawned security technologies focused on making sense out of the data generated by these servers, Web applications, online transactions, and firewalls and other IT protection devices. Variously known as security event management (SEM) or security information management (SIM) solutions, they enable better security assessment and corrective action by identifying real threats from the background noise of ineffective probes, false alarms, and normal network activity or system changes.
Security event management
SEM refers to the process of collecting, aggregating, normalizing, correlating, and analyzing security event data from heterogeneous network, platform, and application sources. Depending on the vendor, these sources may include SNMP traps, syslogs, log data, ODBC databases, and other mechanisms.
Aggregation
Aggregation is the process of eliminating redundant or duplicate event data and distilling the same or similar security events into one event. Depending on your tolerance for false positives (false alarms)—and how sensitive you want the alert to be—you can increase or lower threshold levels for specific events so that it is possible to devalue authorized port scans while ensuring that distributed denial of service and Trojan-style warnings are immediately escalated.
Normalization
A typical enterprise environment consists of many different types of security and network devices that generate logs that are critical to an analyst who is responsible for the security of the site. The logs from these devices are all logged and formatted differently, so it is virtually impossible to compare log results without first normalizing the events. For example, a Cisco PIX firewall will not report an accepted packet in the same manner as a Check Point firewall or even the same as a Cisco router. Normalization puts these disparate data sources into a context that is easier to understand by mapping messages about the same security events to a common alarm ID.
Correlation
Correlation establishes relationships between different events from multiple sources, based on characteristics such as source, target, protocol, or event type, and forwards these as a composite event. For example, a worm detected by antivirus software along with a signature detected on an intrusion detection system will likely result in a correlated event notification. This process usually happens in near real time and generates an automated response that implements changes to external devices, systems, or applications.
EPS
EPS, or events per second, is a measure of the size or volume of data that can be correlated by an SEM product (for example, gigabytes per day or week) or how many alarms or messages can be captured and stored in a database per second. There are currently no standards as to how this metric is derived even though many SEM/SIM vendors tout devices that process "millions of events per second." Without converting this metric into events that provide useful information or are actionable, it has no more meaning than the RPM rating of a car engine. So you should take care when using this metric in determining product scalability.