Guide to Security Information Management

Best practices for a successful SIM deployment

Identifying targets security systems and setting policy are imperative measures

By Denise Dubie

Security information management (SIM) technologies are pretty much imperative for corporate security these days. But IT executives won't be able to reap the full rewards without following some best practices when putting the technology in place.

"[SIM] tools are fast becoming must-haves for security teams wanting more visibility into IT activity within their environment," says Paul Stamp, a principal analyst with Forrester Research. According to Forrester, the market for SIM products is growing at about 50% annually and the technology will continue to become part of larger security-infrastructure and management plans. "[SIM] tools used to be purely the domain of the security analyst working on operational issues. These days, the information that a [SIM] tool provides often ends up on the CISOs, or even the CIO's, desk," Stamp says.

Industry watchers and IT managers alike say that SIM won't protect environments from all threats, but the technology can go a long way toward identifying the risk present in any environment.

Stamp says, "As threats become more targeted and sophisticated, there is often no single tool that can detect the telltale signs of an attack. Many modern attacks manifest themselves in policy violations like privilege escalations or changes to critical files rather than specific vulnerabilities being exploited or well-known malware being downloaded." To be certain SIM is able to adequately streamline the "processes of gathering, analyzing and reporting log, vulnerability and configuration data," it is essential to identify the critical systems in your environment before choosing a SIM technology.

Michael Gabriel, CISO at Career Education Corp. in Hoffman Estates, Ill., uses netForensics' SIM product to collect data from security and network devices, as well as databases and Microsoft domain controllers. He says building a complete picture of the security environment upfront will better guarantee success.

"Identify the critical devices you want to collect log events from and be sure you include the perimeter, operating system and application/database layers for a complete picture of your security posture," Gabriel says.

Another upfront facet of SIM best practices involves getting appropriate policies in place for the SIM tool to enforce. The technology works only as well as your existing security policies, according to Joel Snyder, a senior partner at Opus One, so before buying products, be sure to get policies in place.

"You cannot simply throw the box in and assume that it will tell you want you need to know about your security or network posture," Snyder says. "You have to be willing to actually look deep into what you really care about and either write or activate rules that will make the [SIM] product work."

Gabriel agrees, saying SIM users must be ready to fine-tune the product before rolling it out and on an ongoing basis, to keep it working effectively at reducing the noise of nonevents and identifying those events critical to secure the environment, he says.

When deploying SIM, be ready to negotiate interdepartmental politics. The products are difficult to deploy, because they require IT managers to distribute software agents or modify device configurations in departments that perhaps are not under their dominion. Because the technologies straddle IT operations and security teams, deployments can hit roadblocks when access rights and privileges come into play.

"[SIM], like identity and access management, is by its very nature a heterogeneous product, and thus SIM rollouts involve complex technical integration and political negotiations," Forrester's Stamp reports. "The architecture of the [SIM] tool doesn't seem to make a whole lot of difference either. Even if a solution doesn't require an installed agent to get information from a system, it still usually requires a configuration change or privileged account to get the data it needs -- and system owners aren't likely to let that happen without good reason."

After SIM is deployed, don't underestimate its usefulness beyond the security realm. As the IT disciplines around operations management and security monitoring continue to converge, IT managers can get more out of their SIM investment by putting it to use in gaining efficiencies elsewhere. For instance, SIM technology is also able to monitor which staffers and users follow COBIT policies Gabriel has in place for compliance and audit reasons.

"Don't neglect to look for opportunities to leverage the system's ability to report on operational events that are not necessarily security-related," Gabriel says. "Your operations team will appreciate the information and be more willing to partner on security initiatives when they see a benefit."

Subscribe to the Security Watch Newsletter

Comments