This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
LOG MANAGERS VERSUS SIMs
In some cases, a log management tool is seen as the first step in the analytical chain. But the market for such tools has become confusing, with dual product lines from log management vendors that have branched out into the security information management (SIM) space, and SIM vendors that offer other versions of their products for log management.
"Increasingly our midsized customers want to just get their auditors off their back and don't necessarily want to implement a full-blown SIM," says Tracy Hulver, vice president of marketing and product development of netForensics.
The issue is that the two approaches--SIMs and log management tools--serve different masters and are often two different products, with SIMs focused on correlation and real-time alerts, and log managers emphasizing long-term archiving and evidence preservation. "Log management is more useful for ad hoc, after-the-fact investigation, while SIM is more concerned about codifying the business rules and notifying the security team to respond to a problem," says Hugh Njemanze, CTO and executive vice president of engineering of ArcSight.
As a result, some of the SIM and log management product lines have been developed independently, even those sold by the same vendor. For example, netForensics and NetIQ don't offer a common repository for their two product lines, although the former is working toward this goal and hopes to have a unified repository by the
Another difference between log management tools and SIMs is how they analyze data. Most log managers do "free text" searching, which is useful for finding particular records that can be used for legal evidence. SIMs tend to normalize and analyze network events and can correlate different conversations between computers or IP addresses, which is useful in resolving incidents or tracking down exploits.
Choosing between a SIM and a log management tool depends on your organization's log management goals. If compliance and auditing requirements are your pressing issues, then start with a traditional log management tool. If you're more worried about breaches, start with a SIM.
In the end, you may decide you need both.
This was first published in October 2007