The current landscape of security management solutions for large scale networks is limited by the lack of supporting approaches capable to deal with the huge number of alarms and events that are generated on current networks. In this paper we propose a security management architecture, capable to reconstruct causal dependencies from captured network and service alarms. The key idea is based on mapping events in semantic spaces, where a novel algorithm can determine such dependencies. We have implemented a prototype and tested it on a operational network within an outsourced security management suite protecting multiple networks.