A Case Study on Constructing a Security Event Management System

We define Security Event Management (SEM) as the ability to analyze the information arriving as discrete events from various network services in order to determine whether the network, or a portion of the network, is in the process of being compromised and to undertake evasive action to mitigate the attack. In practice, a SEM system can be viewed as the collection of tools, technologies and policies related to presenting a security-specific view of the network at all times. We describe our work in constructing a security event management system using a mix of open source and internally developed software. Our results in constructing such a system and lessons learned during the process are presented in this paper. We also outline an agenda for future research in this area.