A Security Event Manager is a piece of software which takes as input logs and alerts from a variety of systems, such as Firewalls, Routers, and Servers, and attempts to inform the engineer of unusual occurrences which warrant further investigation. The SEM benefits from having available to it information coming from many systems at both the network and application level, having an understanding of event severity, and may also have access to vulnerability databases which describe common weaknesses and their exploitation. SEM software may also feature tools to aid the analyst charged with investigating events and producing reports. There has been a vendor-fuelled explosion in acronyms around SEM, and you will see them referred to variously as SEM, SIM, CSEM, CIEM, and ESM systems. All of these perform broadly similar functions with differing scalability, utility, user-friendliness, and price. The diagram illustrates the main activities of a SEM system, as their capabilities grow one can expect to see Remediation being added to this list. Although vendors may use different terminology or allude to proprietary methods, all conform to this basic mode of operation.
This document is in PDF format. To view it click here.