SIEM 101: What is a SIEM and how does it relate to file integrity monitoring?
SIEM stands for Security Information and Event Managers. SIEM solutions
can be software or hardware, and may be virtualized. SIEM’s aggregate
logs and data from numerous sources including servers, databases,
network and security devices, applications, and more. What makes SIEM
solutions truly valuable is what they can do with this data. Because
they receive it from many sources, SIEM’s can correlate data to detect
potential issues and issue an alert. Whereas data viewed separately
from each source might not seem to indicate anything abnormal, combined
with other data, a clear anomaly may present itself.
Many SIEM solutions can graphically present data in a dashboard format
with charts and graphs. This allows users a quick and easy way to “see”
what is happening in their IT environment at any point in time.
Another benefit of SIEM solutions is simplified compliance with
regulations as data is in one single location and can be reported on
centrally. For these reasons, many organizations have adopted SIEM
solutions. Currently, these organizations tend to be large to medium
sized, but as SIEM solutions become more popular and the prices fall,
expect even small companies to adopt a SIEM.
How does file integrity monitoring (FIM) work with SIEM?
File integrity monitoring is a complementary technology to SIEM’s.
Because the value of a SIEM is dependent on the information sent to it,
getting high quality change data to it is of critical importance. File
Integrity Monitoring products such as CimTrak, get detailed change data
from a wide variety of IT systems and send it to a SIEM. CimTrak sends
change information from the CimTrak Master Repository to a SIEM solution
via syslog, SNMP traps, or the SIEM vendor’s proprietary protocol.
RSA/Cimcor Announce Partnership
RSA and Cimcor recently announced a partnership agreement to integrate
CimTrak with RSA’s enVision security information and event manager
(SIEM). The integration will allow change data, collected from numerous
endpoints by CimTrak, to be exported and categorized by enVision.
According to RSA, “(t)he RSA enVision platform provides a centralized
log-management service that enables organizations to simplify their
compliance programs and optimize their security-incident management. The
RSA enVision solution facilitates the automated collection, analysis,
alerting, auditing, reporting, and secure storage of all logs.” With the
ability to monitor a wide range of IT systems including servers,
network devices, databases, VMware hosts and more, CimTrak provides
detailed change information to enVision that allows users to get an
in-depth view of what is happening in their environment at any given
point in time.
Integration of the two products is expected to be complete in July of 2012.
CimTrak now features tighter integration with Q1 Labs QRadar SIEM
At Cimcor, we consistently integrate with cutting-edge technologies that
our customers are using. One of those products is Q1L Labs QRadar
security information and event manager, recognized as a visionary SIEM
solution by Gartner. While CimTrak has integrated with QRadar for some
time now, the latest release of CimTrak will feature enhanced mapping of
data sent to QRadar. This enhanced data mapping allows QRadar users to
glean even more value from IT change data gathered by CimTrak.