Skip to main content

Table 2 Six design principals of the next generation ESM

From: Intrusion detection and Big Heterogeneous Data: a Survey

1. “Comprehensive Enterprise Coverage”

The entire production IT stack (e.g., “networks, hosts, applications, databases, identities”) for the enterprise must be monitored by the ESM regardless of environment (i.e., onsite or in the cloud).

2. “Information Interaction and Correlation”

All meaningful events, logs, and similar from input sources in #1 must be capable of being collected for correlation.

3. “Technology Interaction and Correlation”

The SIEM will serve as the foundation of the correlation engine, however it should also integrate with other important security technologies such as: Firewalls, IDSs/IPSs, DLPs, Vulnerability Management, and Anti-Malware.

4. “Business Interaction and Correlation”

The ESM must be aware and tuned to the specifics of the organization’s business context to better assess an attacker’s motivation and yield better correlation and intelligence.

5. “Cross-Boundary Intelligence for Better Decision Making”

The ESM solution must span organizational boundaries across the entire enterprise in a cohesive and collaborative manner, and not permit fragmentation with regards to its overall cyber defense.

6. “Visualized Output for Dynamic and Real-time Defense”

The output of the system must be easily visualized and understandable by end user analysts in an effective manner.