security information management
{{Multiple issues|
{{missing information|the purpose of the collected data and how it is used. The article could also benefit from additional context on how it relates to Information security|date=May 2018}}
{{more citations needed|date=May 2018}}
}}
Security information management (SIM) is an information security industry term for the collection of data such as log files into a central repository for trend analysis.{{cite book|title=Stepping Through the InfoSec Program|author=J.L. Bayuk|page=97|year=2007|publisher=ISACA}}
Overview
SIM products generally are software agents running on the computer systems that are monitored. The recorded log information is then sent to a centralized server that acts as a "security console". The console typically displays reports, charts, and graphs of that information, often in real time. Some software agents can incorporate local filters to reduce and manipulate the data that they send to the server, although typically from a forensic point of view you would collect all audit and accounting logs to ensure you can recreate a security incident.{{Cite journal|last=Kelley|first=Diana|date=March 2004|title=Report: Security Management Convergence via SIM (Security Information Management)—A Requirements Perspective|url=http://link.springer.com/10.1023/B:JONS.0000015702.05980.d2|journal=Journal of Network and Systems Management|language=en|volume=12|issue=1|pages=137–144|doi=10.1023/B:JONS.0000015702.05980.d2|s2cid=1204926|issn=1064-7570|url-access=subscription}}
The security console is monitored by an administrator who reviews the consolidated information and takes action in response to any alerts issued.{{cite book|title=Strategic Information Security|author=John Wylder|page=172|publisher=CRC Press|year=2004|isbn=9780849320415}}
The data that is sent to the server to be correlated and analyzed are normalized by the software agents into a common form, usually XML. Those data are then aggregated in order to reduce their overall size.{{cite book |url=https://books.google.com/books?id=LILroPpCP0cC&q=Security+Warrior |title=Security Warrior|author=Cyrus Peikari and Anton Chuvakin|pages=421–422|publisher=O'Reilly|year=2004|isbn=9780596552398 |access-date=17 January 2014}}
Terminology
The terminology can easily be mistaken as a reference to the whole aspect of protecting one's infrastructure from any computer security breach. Due to historic reasons of terminology evolution; SIM refers to just the part of information security which consists of discovery of 'bad behavior' or policy violations by using data collection techniques.{{Cite journal|last=Kelley|first=Diana|date=2004-03-01|title=Security Management Convergence via SIM (Security Information Management)—A Requirements Perspective.|journal=Journal of Network & Systems Management|volume=12|issue=1|pages=137–144|doi=10.1023/B:JONS.0000015702.05980.d2|s2cid=1204926|issn=1064-7570}} The term commonly used to represent an entire security infrastructure that protects an environment is commonly called information security management (InfoSec).
Security information management is also referred to as log management and is different from SEM (security event management), but makes up a portion of a SIEM (security information and event management) solution.http://www.siem.su/ SIEM Analytics (in Russian)