Security teams ask a lot of today's SIM platforms. We want them to take data from a dizzying array of sources--ArcSight ESM alone supports more than 200 log formats--then determine what's important out of the collected information, store terabytes of data online for analysis and trending, all while meeting both real-time analysis and historical reporting needs. Complicating matters, not all organizations ask for the same things; some are focused on compliance and reporting, while others are more concerned about monitoring and incident handling. Any one of these presents a difficult challenge, yet today's security information management platform vendors seem interested in tackling most, if not all, scenarios.
|
Those familiar with the SIM arena will note that our review has a number of new players, while a few old faces are conspicuously absent. We invited 13 vendors to send their latest offerings to our Chicago Neohapsis Real-World Labs®. We required that products support at least 12 log formats natively, centralize log data and provide an analysis component for reducing the amount of information a human operator must process. ArcSight, High Tower Software, LogLogic, Network Intelligence, OpenService, Q1 Labs, SenSage and Symantec accepted. Long-time players eSecurity (now owned by Novell), Intellitactics, netForensics and Guarded.Net (now owned by IBM) declined, as did Cisco Systems. CA indicated interest but never sent product, and we didn't learn of eIQnetworks and TriGeo Network Security until after our testing deadline.
Of the original pack of well-known SIM vendors, only ArcSight and Network Intelligence participated, which we take as a sign that the functionality gap between leaders and followers might be growing. We wonder if some older SIM vendors have fallen even further behind.
Our evaluation requirements focused on data transportation, storage, reporting, and both real-time and forensic-analysis tools. Our test environment consisted of varying types of devices, ranging from Windows 2000, 2003 and Linux systems to firewalls, VPN concentrators, IDSs, and infrastructure devices, such as routers and switches. Our plan was to bring each system into our lab, have vendor reps install and configure it, then incorporate the product into our day-to-day operational activities. We were hoping the process would be straightforward, but what ensued was a months-long engagement during which we learned about differing UIs, terminology, architectures, scripting languages, correlation strategies and investigative toolsets.
A Landscape Revised
One immediately obvious change: We could deploy some of the SIM products in a single day, providing the infrastructure had been prepped--devices have logging enabled and configured, with logs already forwarded to a central destination. Three years ago, when we tested SIMs, a one- or even two-day installation would not have been possible. Yes, there's still a large difference between bringing several dozen devices into a logging infrastructure versus several hundred or thousand, but even getting a base product up, running, and receiving and processing logs in less than eight hours is a huge step forward. We were thrilled with the progress here.
Also worth noting is the number of vendors that have gone the turnkey route. Three years ago, the vast majority offered strictly software-delivery models. Today, most of our participants sent their products on systems or appliances, which helps customers avoid additional hardware, OS and database licensing costs while greatly reducing installation headaches. We understand that in large, multi-terabyte SAN-enabled deployments a software-based system might be desirable, but we question how many of those situations exist. From our perspective, as long as OS patching is handled in an efficient and timely manner, we like the turnkey model. It's cleaner. Only ArcSight and SenSage lack turnkey delivery products, so clearly we're not alone.
