SIEM 101: What is a SIEM and how does it relate to file integrity monitoring?

SIEM 101: What is a SIEM and how does it relate to file integrity monitoring?

SIEM stands for Security Information and Event Managers.  SIEM solutions can be software or hardware, and may be virtualized.  SIEM’s aggregate logs and data from numerous sources including servers, databases, network and security devices, applications, and more.  What makes SIEM solutions truly valuable is what they can do with this data.  Because they receive it from many sources, SIEM’s can correlate data to detect potential issues and issue an alert.  Whereas data viewed separately from each source might not seem to indicate anything abnormal, combined with other data, a clear anomaly may present itself.

Many SIEM solutions can graphically present data in a dashboard format with charts and graphs.  This allows users a quick and easy way to “see” what is happening in their IT environment at any point in time.  Another benefit of SIEM solutions is simplified compliance with regulations as data is in one single location and can be reported on centrally.  For these reasons, many organizations have adopted SIEM solutions.  Currently, these organizations tend to be large to medium sized, but as SIEM solutions become more popular and the prices fall, expect even small companies to adopt a SIEM.

How does file integrity monitoring (FIM) work with SIEM?
File integrity monitoring is a complementary technology to SIEM’s.  Because the value of a SIEM is dependent on the information sent to it, getting high quality change data to it is of critical importance.  File Integrity Monitoring products such as CimTrak, get detailed change data from a wide variety of IT systems and send it to a SIEM.  CimTrak sends change information from the CimTrak Master Repository to a SIEM solution via syslog, SNMP traps, or the SIEM vendor’s proprietary protocol.

RSA/Cimcor Announce Partnership

RSA and Cimcor recently announced a partnership agreement to integrate CimTrak with RSA’s enVision security information and event manager (SIEM).  The integration will allow change data, collected from numerous endpoints by CimTrak, to be exported and categorized by enVision.

According to RSA, “(t)he RSA enVision platform provides a centralized log-management service that enables organizations to simplify their compliance programs and optimize their security-incident management. The RSA enVision solution facilitates the automated collection, analysis, alerting, auditing, reporting, and secure storage of all logs.” With the ability to monitor a wide range of IT systems including servers, network devices, databases, VMware hosts and more, CimTrak provides detailed change information to enVision that allows users to get an in-depth view of what is happening in their environment at any given point in time.

Integration of the two products is expected to be complete in July of 2012.

CimTrak now features tighter integration with Q1 Labs QRadar SIEM

At Cimcor, we consistently integrate with cutting-edge technologies that our customers are using.  One of those products is Q1L Labs QRadar security information and event manager, recognized as a visionary SIEM solution by Gartner.  While CimTrak has integrated with QRadar for some time now, the latest release of CimTrak will feature enhanced mapping of data sent to QRadar.  This enhanced data mapping allows QRadar users to glean even more value from IT change data gathered by CimTrak.