What to ask when buying security information management
Scalability, interoperability and log management are key considerationsBy Denise Dubie
IT executives shopping for SIM should focus their attention on a few key capabilities when evaluating vendor products. While conditions may vary depending on the environment in which the technology will be deployed, all IT executives looking at security-management products need to ask the following:
1. How does the product scale? IT managers must determine the number of devices from which devices they want to collect information and ask the vendor how their technology can accommodate the volumes of log data. Many SIM products tell how many events per second they can capture, analyze and store appropriately. Some require installing multiple collection services, for instance, if each server can manage as many as 10,000 events per second or 100 managed devices. Other may require additional storage capacity be provided by the customer or offer options with partners to compensate for archiving the raw log data.
"You need to make sure the system can go with your network," says Michael Gabriel, CISO at Career Education Corp. in Hoffman Estates, Ill. Gabriel uses a combination of netForensics and Rippletech (a netForensics partner) software to manage security events generated from firewalls, prevention systems, domain controllers and Cisco devices.
2. Does the product include log-management features? Compliance regulations can be both specific and vague about how and how long organizations and enterprise companies need to maintain their log data. It makes sense that SIM products collecting logs from managed devices should also provide the capabilities to manage and archive log data appropriately.
"Some regulations, like Payment Card Information Data Security Standard, for example, specifically mandate log management," according to Paul Stamp, principal analyst at Forrester Research. "Others, like Sarbanes-Oxley, are more opaque, requiring organizations to demonstrate the integrity of business processes, which means they need to show they are monitoring applications and the underlying infrastructure for improper behavior."
3. Can it accept data from other security-management products, databases or third-party systems? SIM products will be critical components of larger enterprise risk-management strategies, and IT managers today need to know the data collected by unified threat management, antispyware and vulnerability-management products, to name a few, can be incorporated into the SIM intelligent event-correlation and -analysis engines. Customers should compel vendors to specify what kind of data and how much data across the enterprise the security tools can collect and correlate. IT managers should ask what third-party products the vendor supports and whether they have software developer kits available for customers to build their own integrations, if need be.
For example, "the ability to integrate vulnerability data from a vulnerability-scanning engine to help it set the severity of events based on the device's vulnerability to the threat" is a must-have feature, Gabriel says.
4. Can the product generate alerts in real-time based on complex events? It's a given that SIM products work to collect and correlate multiple events, but IT executives should ask whether the technology can take disparate events happening across an environment and determine whether all relate to a common threat. For instance, Symantec defines blended threats as security instances that "combine the characteristics of viruses, works, Trojan Horses and malicious code with server and Internet vulnerability to initiate, transmit and spread an attack." IT executives should know if the SEM/SIM tool they plan to purchase can identify such threats.
According to Gabriel, SIM should include "the ability to create real-time alerts based on complex, nested conditions."
5. Does the product offer "active response" capabilities? A more advanced SIM capability is active response -- meaning the technology takes action based on the data it collects. For instance, if an individual working remotely is repeatedly attempting to access a Web server without success -- using the wrong password -- the security-management product can block traffic to that server. Yet active-response features, according to Joel Snyder, a senior partner at Opus One, should follow policies and not shoot from the hip.
Because the automated actions taken to prevent a security threat from spreading can shut down servers and cause poor network performance, it's not a cut-and-dried capability. When considering an external attack, the technology needs to know where to block traffic. In the case where there is an internal attack, SIM products must know where to block traffic and for how long. "Even if you like it active response is harder than it sounds," Snyder says.