The term security information management (SIM) can evoke bad memories for security administrators. Many have spent large amounts of time and money installing and configuring a major enterprise SIM, only to find out it was too complex and heavy to manage. But times have changed.
Early SIM tools were, for the most part, aimed at large enterprise customers and often came with a high customization price tag that put them out of reach for smaller firms. A few SIM vendors, like eIQnetworks, e-Security (now Novell), and TriGeo have noticed the underserved market and introduced offerings aimed specifically at midmarket customers. The midmarket offerings have expanded functionality to support larger enterprises. Bigger, more established enterprise SIM vendors, like ArcSight Inc., netForensics Inc. and RSA, have introduced packages that are easier to install and manage in a midmarket organization.
Some companies have written their own log aggregation and correlation rules. Creating a small customized SIM can work for companies with plenty of developer resources available, but is too labor-intensive for many small to mid-size organizations. For companies that like the idea of a free SIM but don't have the developer resources, another option is the Open Source Security Information Management (OSSIM) tool compilation, which is available for download. OSSIM comprises a number of well-known, open source security tools, like Arpwatch, Nessus, Snort and Tcptrack, which have been integrated to provide a framework for security monitoring and an engine for information correlation. OSSIM also offers commercial support via Alienvault, a startup that manages the project. Alienvault also offers data feeds that update the various components of the OSSIM solution, plus training, certification and consulting.
To find the commercial SIM that best fits your enterprise, create a list of requirements before talking to vendors. From the business side, assess what kinds of reporting and policy information are required. Find out if the vendor product has pre-configured reporting templates that meet your company needs, or if it can be configured to meet them with minimal effort. Inquire about what correlation rules are included with the product for risk assessment and proactive monitoring. And how easy is it to add new rules? Create a list of devices, applications and operating systems that you want to have covered by the SIM and then compare this to the vendors' offerings. While most solutions allow for customized integration on unsupported targets, the cost to add this functionality could significantly impact the total project cost.
Differences in architecture can impact the deployment process. For some organizations, installing and managing agents on target devices is not an option. In these cases, agentless architecture SIMs are the best solution, but this doesn't mean agent-based SIMs are the wrong choice for all companies. Having an agent on a device provides an on-host monitor that may be better at identifying stealth changes and installations than an agentless solution that trusts the log data.
For those firms that want the functionality, but not the administrative overhead, SIM management can be outsourced to a managed security service provider (MSSP) like VeriSign Inc. or Cyberklix Inc.. For companies that prefer to install and manage security products themselves, it's good to know that products have matured and are easier to use out of the box. If you're a small to mid-size company that thought SIM was too expensive, it might be time to reconsider.About the author:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
Send comments on this technical tip to firstname.lastname@example.org.