资源:
http://www.ossim.net/blogs.phpOSSIM其实并不是一个SIM(Security Information Management system)而是一个SEM(Security
Event Management system)。
SIM和SEM的区别在于,SIM偏重于收集和长期保存大量原始日志,支持审计和计算机犯罪
法证,通常为满足客户合规性管理的需求;而SEM偏重于实时安全监控,实时风险评估、报警与处理。OSSIM从功能上看并不具备大规模日志采集与存储能
力,功能实际上是接近SEM,它的正确命名应该是OSSEM,这个事情OSSIM的开发团队其实也注意到了,但是当初这些概念并不明朗,所以导致了取名为
OSSIM,事后OSSIM的开发团队在其项目的wiki上作了如下阐述:
What is a SIM?
According to
Wikipedia: “Security Information Management (SIM) is the
industry-specific term in computer security referring to the collection
of data (typically log files; e.g. event logs) into a central repository
for trend analysis. Due to historic reasons of terminology evolution;
SIM refers to just the part of information security which consists of
discovery of ‘bad behaviour’ by using data collection techniques. The
term commonly used to represent an entire security infrastructure that
protects an environment is commonly called Information Security
Management (InfoSec)”.
SIM’s
focus in real time security monitoring, correlating differente log
types and offering fast analysis and dashboard tools.They
store events in a SQL database which have a concurrent event storage
limitation.
What is a SEM?
A SEM (Security Event Management)
stores large amount of logs in disk devices for historical storage
purposes. It typically offers integrity and confidentiality implementing
cyphering and digital signature.
SEM’s are slow but can store years of logs. OSSIM
does not implement SEM functionalities, although an OSSIM professional
edition developed by AlienVault implements a SIEM (SIM+SEM).(来
源 )
红
色部分就是弯曲行业内对SIM和SEM的一致认同概念的部分。但是SIM和SEM似乎都过时了,大家都在吹SIEM的概念,所以AlienVault
说他们开发了一个professional edition 的OSSIM,实现了SIEM的功能,也就是SIM和SEM的整合。
阅读(1823) | 评论(0) | 转发(0) |