Why the SIM part of SIEM is inadequate and just a half-measure?

Tom McDonald
By Tom McDonald

May 11, 2015

Internet Security System

The internet is rapidly changing and so are the challenges we face online. There is an urgent need for solutions that can safeguard data stored on our cloud drives or on our servers.

This three piece guide will take you through different aspects of cyber security. So without much ado, let’s jump into it.


What are SIEM and SIM?

The acronyms SIEM stand for Security Information and Event Management. The Security Information Management (SIM) is the part of SIEM that gathers, stores, analyzes and reports on the data that has been logged.

The concept behind this technology is to sort through the tons of information gathered and identify unauthorized accesses, abnormal user behaviors, external intrusions and the existence of malware programs. The tool generates threat alerts and suggests actionable incident responses.

It is implemented mostly in enterprises that require a higher degree of protection from cyber threats that can cripple networks, steal sensitive information and put the general operations of in jeopardy. The technology is usually sold as software, devices or a managed service. Apart from providing actual security, it can also generate reports that can be used for compliance and audits.

What necessitates SIM?

Cyber-attacks are a multilayered risk. They involve the operating systems of servers and workstations, the user identity management systems, the databases and the web traffic. To protect these systems, various applications run in the background. Applications like intrusion detection systems, anti-virus, firewall, and VPNs are a few examples.

These applications work independently and monitoring all of them individually can be a challenge.

Implementing Security Information Management addresses this issue. It collects data from several sources and displays them on a single pane of glass.

Why is SIM inadequate?

A SIM will give ample information to work with, but the actual problem, which is to resolve any and all security issues, is not fixed.  SIM does not analyze the data, and by the time somebody identifies an entry in the logs that indicates a real threat, it may already be too late.

A proper resolution requires analysis, identification and response to all security incidents. These steps require more than just sorting through data. It requires some level of creativity by the security staff that is handling the information.

Nevertheless, Security Information Management is an integral part of SIEM. As long as it is properly configured and kept constantly updated, it will provide the foundation to build a solid security framework that can protect critical information of an enterprise, provided of course that the data collected is of the right kind and in the right amounts. Too much data can choke the system, and too little will result in a limited view that will miss critical events.

The information collection process

Incorrect information collection generates reports that often divert attention from critical incidents that need attention to noisy ones that may just be feints and diversions that allow the malicious intrusions to complete their task undetected. These reports are not really effective until some use cases (these are definitions of steps of analyzing the data) and filters are put in place.

For example, we can filter through reports on failed administrator login attempts but there will still be no way to know if these failures pertain to intrusion attempts.

Even after the use cases and the filters are implemented, there is still no threat assessment data. There is only an indication that something may be going on which requires attention. By the time somebody has investigated the incident, the damage may be done, and too much time will have been lost in manual effort. And there is no guarantee that no errors will occur.

Under pressure it is easy to underestimate a threat. Maintaining a manual threat assessment process in order to minimize any such errors requires increased staffing, which can be a burden for many organizations.

Not to mention that the time lost in this effort, is time that is not spent in keeping up with the ever evolving quality and level of threats. It is also time that is not used to identify possible vulnerabilities in our networks and resolve them before they can be exploited.

SIM is the first step, SEM is the second

The best that can be said about the data gathering process achieved in SIM is that a good set of background information has been accumulated even though there has been no real effect on improving the overall security. This security improvement cannot be achieved until a security intelligence layer has been inserted in the analyzing process.

This layer is inserted by the Security Event Management (SEM) which monitors the data in real time, correlates various events and produces notifications and console views. Now that some of the main concepts are clear, we’ll be discussing more about cyber attacks and security in next part of the series.

Download 21 SIEM Usecases for SIEM

About the Author

Over the last thirty years Tom has held various senior IT executive positions, successfully leading the design, development, implementation, and support of technology-based products and managed security programs.  Tom is currently the Vice President for US Enterprise Security at Paladion Networks

Tags: Features, SIEM technology, Security Information Management, SEM and SIM, SIEM tips, SIM and SIEM, SIM part of SIEM, Technical


Tom McDonald