Essential Guide

View All Guide Articles

Problem solve

This article is part of our Essential Guide: How to define SIEM strategy, management and success in the enterprise

Should IDS and SIM/SEM/SIEM be used for network intrusion monitoring?

Is it enough just to monitor log data, or does that data need to be fed into a SIM/SEM/SIEM product in order to ease the data analysis process? Network security expert Mike Chapple weighs in.

Mike Chapple

University of Notre Dame

Follow:

Is it enough just to analyze log data, or it is necessary (or beneficial) to have IDS feed to SIM/SEM as well? Will correlated logs provide me with enough information to pinpoint a security issue or will signature-based IDS provide me with an additional view, which cannot be determined just with logs?

Generally speaking, a SIM/SEM/SIEM network intrusion monitoring system is an enhancement to an existing IDS. It...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

will store and further process the logs generated by the IDS and allow you to correlate IDS entries with other security events, such as vulnerabilities detected by a network scanner. The use of a SIM/SEM/SIEM can greatly reduce the amount of time spent reviewing log records by automating the task.

That said, SIM/SEM/SIEM devices are expensive. If you don't have the budget to purchase a good SIM/SEM/SIEM, you're probably better off doing network intrusion monitoring yourself than installing a marginal quality SIM/SEM/SIEM. Less sophisticated systems integrate with fewer of your security devices, require more extensive configuration and maintenance and will probably increase the total cost of ownership.

You shouldn't lose any data between your IDS and your SIM, but it's always a good idea to monitor log data and keep IDS logs as a backup in the event the SIM malfunctions or becomes unavailable.

For more information:

Learn how to mine enterprise SIM logs for relevant security event data.
Don't have a SIM? Find out how to check for attack data on network logs without SIMs

This was last published in April 2009

Related Q&A from Mike Chapple

How to prevent DoS attacks in the enterprise

It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading

How should HIPAA covered entities respond to healthcare ransomware?

The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading

Should healthcare organizations follow the NIST guidelines for HIPAA?

HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

SearchCloudSecurity

Are Amazon certificate authority services trustworthy?

AWS now operates as its own CA. What are the potential risks of the new Amazon certificate authority services? Expert Dave ...

How to prevent cloud cryptojacking attacks on your enterprise

As the value of bitcoin has risen over the last year, so has the prevalence of cloud cryptojacking attacks. Expert Rob Shapland ...

Developing a robust data protection procedure for the cloud

How should the use of cloud services affect your data retention, deletion and archiving practices? Find out what guidelines ...

SearchNetworking

Private CDN services fill specific needs for some businesses

In addition to shared CDN service options, private CDNs with dedicated edge servers are the obvious answer for businesses with ...

Network engineering skills should include software fluency

Network engineers need to rethink their network engineering skills and embrace software fluency training to meet business needs ...

Pica8 wooing campus with white box network switch software

Pica8 is rolling out new white box network switch software aimed at campus and branch-office deployments in a bid to build a new ...

SearchCIO

Artificial intelligence center of excellence emerges as best practice

One way for enterprises to get a grip on an AI strategy that makes sense for them is to establish an artificial intelligence ...

Indeed.com releases top 10 most in-demand CIO skills

Job site Indeed.com has released a list of the most in-demand skills for today's CIOs, based on job postings. Experts I talked to...

Rue La La CTO: Don't let data poisoning impair business health

If not treated properly, data can corrupt agendas, spur endless arguments and narrow thinking, the e-commerce company's Anthony ...

SearchEnterpriseDesktop

Seven factors that make up an effective email phishing test

The best way for IT to improve email phishing security is through comprehensive testing, which helps identify which users are ...

Citrix Analytics service brings hope for better security

As it becomes more difficult to monitor and secure applications and data, Citrix's security analytics platform is getting more ...

Citrix Workspace app holds potential, raises questions

At Synergy 2018, Citrix introduced a new secure digital workspace that provides users unified access to their virtual desktops ...

SearchCloudComputing

In a serverless architecture age, infrastructure still matters

Sorry, developers, but infrastructure still matters, even as serverless architectures and containers diminish its central role to...

Don't let scalability ruin a cloud cost management strategy

Scalability is one of the cloud's biggest advantages, but misuse of the feature can cost you. Pay special attention to these ...

Four tips for a successful hybrid cloud POC

A hybrid cloud proof of concept is an important step to ensure a deployment will fully meet IT and business needs. Mind these ...

ComputerWeekly.com

How AWS keeps its rivals at bay

A relentless focus on building for customers and inking partnerships with enterprise software bigwigs while lowering prices has ...

UK calls for new data-sharing model with EU

The UK has proposed a new data-sharing model to ensure ongoing data protection collaboration and free flow of data between the EU...

Compliance in the cloud: Avoiding the cloud compliance trap

When you hand over data to a cloud provider, you don’t hand over responsibility for legal and regulatory compliance. Beware of ...

Essential Guide

Related Resources

Related Q&A from Mike Chapple

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.