From: Intrusion detection and Big Heterogeneous Data: a Survey
1. “Comprehensive Enterprise Coverage” | The entire production IT stack (e.g., “networks, hosts, applications, databases, identities”) for the enterprise must be monitored by the ESM regardless of environment (i.e., onsite or in the cloud). |
---|---|
2. “Information Interaction and Correlation” | All meaningful events, logs, and similar from input sources in #1 must be capable of being collected for correlation. |
3. “Technology Interaction and Correlation” | The SIEM will serve as the foundation of the correlation engine, however it should also integrate with other important security technologies such as: Firewalls, IDSs/IPSs, DLPs, Vulnerability Management, and Anti-Malware. |
4. “Business Interaction and Correlation” | The ESM must be aware and tuned to the specifics of the organization’s business context to better assess an attacker’s motivation and yield better correlation and intelligence. |
5. “Cross-Boundary Intelligence for Better Decision Making” | The ESM solution must span organizational boundaries across the entire enterprise in a cohesive and collaborative manner, and not permit fragmentation with regards to its overall cyber defense. |
6. “Visualized Output for Dynamic and Real-time Defense” | The output of the system must be easily visualized and understandable by end user analysts in an effective manner. |