Security Information and Event Management

The present strategic value and the increasing complexity of data networks imply the need for tools to be used for management and control of the involved human and technological resources.

The network administrator and the security policy administrators must be enabled to have access to reliable data on the use of both the network and its components and also to all the information required to optimize resources, amend configurations and avoid behaviors which could jeopardize the network efficiency. These information are provided through log messages which describe all the activities carried out by the device.

However, the log analysis is demanding since the “raw volume” of the generated data is very high and therefore the log collection, filtering and mapping must be carried out using dedicated tools the function of which is that of processing, storing and displaying information through the user interface.

In general terms, a SIEM (Security Information and Event Management) product must be able to:

• Collect a high number of events (thousands per second) from a wide range of heterogeneous devices;
• Support logs generated by network devices, operative systems, central (mainframe) and department (DC, mail server, database and so on) applications;
• Provide an event mapping and analysis engine both in real time mode and for forensic analysis;
• Put in a log file –in a secure way in compliance with international standards in force- a great quantity of collected events;
• Provide a flexible reporting engine aimed at solving different operation and management issues.