This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
Whichever type of product you choose, reporting capabilities are critical. NetForensics' Hulver says most customers want many different items in their reports, so his company provides some templates, but also makes it easy for clients to create their own.
Customized reports are crucial for compliance purposes, but some aspects of the reporting process are also needed for real-time threat analysis. "We put all the information online so the security professional can solve problems immediately," says Jim Pflaging, president and CEO of SenSage. "You can also set rules that look into the past, and can do threshold and violation alerts based on long-term trend analysis. That also has advantages for compliance."
How a product handles ordinary network traffic flow is also important. Some products, such as netForensics' nFX Log One and RSA's enVision, don't offer the ability to import this information, making it more difficult to correlate particular network events with security breaches. "It is on our 2008 product road map," says Hulver.
In addition, IT staffs need to work with logging application program interfaces that can import other kinds of logs--such as those from custom applications--into a central repository, and query mechanisms to search through this archive to get the right kinds of information out of it. "Many times there are custom ERP applications that make use of .NET or J2EE that require their logs to be aggregated,
Another factor in a purchasing decision is how scalable and extensible a solution will be, and what happens to the existing repository when new logs are imported or added. Vendors have adopted their approaches to address this issue. "We can easily extend our data schemas without having to change the underlying database or the collection process. We have built a relational approach without all the overhead associated with the relational database," says Pflaging.
"We developed our own purpose-built, object-oriented database that allows us to scale to billions of daily events," says RSA's Stevens. "We can easily generate metadata when new data sources are added to it."
This was first published in October 2007