SIEM – definition & overview | Sumo Logic

Security event management (SEM) is the process of centralizing computer log data from multiple sources (systems, endpoints, applications, and services) to improve the detection of events and manage events through a formalized incident response process.

SIEM for beginners

As IT organizations grow, they deploy more hardware and applications that produce an ever-increasing volume of computer logs. Enterprise IT security consists of several different applications working in tandem to protect against various attacks. These include malware detection applications, a network intrusion detection system (NIDS), a network intrusion prevention system (NIPS), data loss protection, endpoint security applications and more.

Each of these security applications monitors a few specific types of security threats, but none of them provides 100% coverage. Your intrusion detection system can only read packets, protocols and IP addresses because its function is to detect unauthorized users or suspicious packet activity on the network. Your endpoint security can only monitor files, usernames and hosts. Meanwhile, your service logs reveal user logins, service activities and configuration changes.

SIEM software tools act as a management and integration layer that sits on top of your existing systems infrastructure and security software tools. SIEM software tools collect and integrate the computer-generated log data captured by each application, service, or security tool in the system, displaying the resulting data in a human-readable format and facilitating real-time threat detection and event management functions.

SIEM software tools connect the most important security data from the applications that protect your business, enabling your organization to respond more quickly to security events.