During my time as a network manager, I was always a little disappointed with what I got out of my SEIM system. SEIM, or Security Event and Information Management, tools are a staple of the security infrastructure. They are great at satisfying some of the critical compliance requirements for assessing log data, so almost everyone has them. But for me, our SEIM system was a hassle.
Truth be told, I didn’t spend enough time configuring and tweaking the system to get what I wanted. But also, I expected it to be, well, easier. I expected to take those millions of logs and just make sense of them. What I really wanted were “smart events.” I wanted the system to understand the logs and tell me when something had happened.
That’s what I really like about the events that FireMon can feed to a SEIM. Instead of ‘user mdean issued command access-list…’, I can get ‘user mdean added service SSH to rule 4?. And then, instead of me having to know that rule 4 is an inbound rule and that someone just allowed access that violates my security policy, I can get a second event thatsays ‘Firewall External FAILED internal-best-practice audit’.
Now that’s an event I can use. Learn more about it at SEIM News.