The Operational Role of Security Information and Event Management Systems
- 15 October 2014
- journal article
- Published by Institute of Electrical and Electronics Engineers (IEEE) in IEEE Security & Privacy
- Vol. 12 (5), 35-41
- https://doi.org/10.1109/msp.2014.103
Abstract
An integral part of an enterprise computer security incident response team (CSIRT), the security operations center (SOC) is a centralized unit tasked with real-time monitoring and identification of security incidents. Security information and event management (SIEM) systems are an important tool used in SOCs; they collect security events from many diverse sources in enterprise networks, normalize the events to a common format, store the normalized events for forensic analysis, and correlate the events to identify malicious activities in real time. In this article, the authors discuss the critical role SIEM systems play SOCs, highlight the current operational challenges in effectively using SIEM systems, and describe future technical challenges that SIEM systems must overcome to remain relevant.Keywords
This publication has 7 references indexed in Scilit:
- A survey on information visualization: recent advances and challengesThe Visual Computer, 2014
- BeehivePublished by Association for Computing Machinery (ACM) ,2013
- Prioritizing intrusion analysis using Dempster-Shafer theoryPublished by Association for Computing Machinery (ACM) ,2011
- A logic-based model to support alert correlation in intrusion detectionInformation Fusion, 2009
- Alert correlation in a cooperative intrusion detection frameworkPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2005
- The base-rate fallacy and the difficulty of intrusion detectionACM Transactions on Information and System Security, 2000
- Mining association rules between sets of items in large databasesPublished by Association for Computing Machinery (ACM) ,1993