I was reading a piece over at the SANS institute by David Swift the other day about SIEM that he’d written a couple years ago. It made me start thinking about SIEM as a whole, vs. correlation.

The first question we have to ask is... what is a SIEM (or SIM, or SEM)?

SIEM: Security Information Event Management

SIM: Security Information Management

SEM: Security Event Management

SIEM’s as a whole do correlation of security events from a number of sources such as Firewalls, IDS/IPS’s, Active Directory and perhaps a full vulnerability scan. These events can all point toward some sort of security event such as an attempted breach, or denial of service attack.

This is the main job of a SIEM. Correlation of Events.

Now along comes LMI. (Log Management & Intelligence) and Log Management takes the position of.. instead of only collecting security related events such as those from firewalls, IDS/IPS’s, and Server Operating Systems... We should collect ALL events. With those events we can do more than just security, but rather, we can do deep dives on all of that data, use it for troubleshooting, use it for root-cause analysis, use it for compliance, and use it for operational excellence.

Now, although these seem similar, keep in mind that SIEM is a small sub-set of log data, where LMI is ALL log data.

So the question I ask is merely this.

Why limit correlation to Security Events? Why not correlate ANY event?