As computer systems have become increasingly complicated and managed computer system networks have grown exponentially, the difficulty in monitoring computer system health and security status has likewise increased. When computer system networks were less sprawling, security devices generated a manageable number of daily events that were manually analyzed by security managers. Today's systems, however, generate many thousands of daily events, far more than can be manually analyzed.
To remedy this issue, Security Information and Event Management (SIEM) solutions were developed. SIEM systems combine both security information management (SIM) and security event management (SEM) functionalities into a centralized system that can provide real-time analysis of the security alerts that are generated by various hardware devices and applications. In general, SIEM systems are capable of gathering, analyzing, and presenting information from: network and security devices; vulnerability management and policy compliance tools; operating system, database, and application logs; and external threat data. Further, SIEM systems generally can identify and access various management applications.
Typical SIEM systems are designed to aggregate security information generated by the various collection devices and applications and subsequently normalize the aggregated information such that the SIEM system can then analyze the information independent of the collection devices. This type of functionality is traditionally accomplished through non-distributed, client-server architectures that require significant effort and processing capabilities each time a new device, node, or user with discrete permissions is added to the system. Such a conventional system configuration is disadvantageous, however, as thousands of daily events collected from a multitude of computer systems in a network causes significant network traffic, which affects the system's efficiency. Further, because not all computer systems in a particular managed network require identical applications and collection devices, the traditional SIEM system architecture makes it difficult to provide custom configuration for each networked computer system, thus limiting system scalability.
Therefore, there is a long-felt but unresolved need for a modular and scalable SIEM system that is flexible, efficient, and allows rapid deployment and modification as needed.