How do log management and SIEM differ? Is it necessary to have separate tools for each function or can these functions be rolled into one solution?
Which products are best for SIEM, and which are better for log management? Do you have recommendations of products that effectively combine both log management and SIEM?
SIEM is the tool that can monitor all the security activities like viruses, brute force, lateral movement, log deletion, etc,.,
Log management is used for storing, viewing, analyzing, and retrieving the logs from the source.
Security information and event management (SIEM) is software that helps companies and governments monitor their networks and any suspicious activity. SIEMs are often expensive to acquire, but they provide a lot of benefits for enterprises. The "log management" software is a cheaper alternative because it does not have all the capabilities of the SIEM.
A critical difference between log management and SIEM is the data that they offer to their users. Log management software only offers data from the network, while a SIEM also offers data from operating systems, databases, and even applications.
I consider a SIEM like the best tool to protect your company. Security Onion is one of the best SIEM to Linux and UTMStack is a free Next-Gen SIEM and compliance platform (with a free community version) to small and medium-sized enterprises.
Rony, Daniel's answer is right on the money. There are many solutions for each in the market, a lot depends upon your ability to manage such tools and your budget. A small operation may be best served by a managed service if it proves to be economical. I do not have any recent data on these. When I was investigating SIEMs there were big systems such as IBM, HP and McAfee then I found LogRhythm which has proved to be a great tool and more of what I needed right away. We manage it ourselves, though they now have a cloud offering. Also, if you have mostly Office365 and Azure IaaS logs to work with, you may find MS Azure Sentinel to be a good fit. I hope this is of some use to you.
@Lindsay Mieth Thanks for your input!
Log Management is just that, it looks at logs from devices and attempts to make inferences about security issues from those logs. SIEM technology typically casts a wider net, looking at all types of security events. The best of breed will look at Network flows and events and logs, and other types of events that don't necessarily come from logging sources and provide an inference engine and rules management platform to allow you to detect anomalies from a wide variety of sources rather than just logs.
@Daniel Sichel Thanks, this is a very clear answer. If SIEM casts a wider net, is it then necessary to still have a log management tool? Do you have recommendations for products for SIEM/log management?
In short, Log Management refers to the collection, storage, and organizing of the event logs according to your specifics needs and operational processes. Opposite, the SIEM after data collection, is making the real exploitation of this data acquired from different sources, servers, applications, and OS. In the context of the traditional Intelligence cycle, is performing 3 of the 4 typical stages: Collection, Analysis/Processing, and Distribution to Decision-makers. Said that from the perspective of a former Intel guy is Intelligence vs raw data before even converted into the information.
@David Rivas Huete thanks :)
Splunk would be the best solution to address several use cases.
@Esmat Salah El-Din Thanks for your input :)