This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2008."
Download it now to read this article plus other related content.
Security information and event management systems
Symantec Security Information Manager
Readers awarded Symantec's Security Information Manager the gold medal in the security information and event management category, giving it high marks in event correlation, archiving and ease of deployment.
The Windows-based appliance collects and manages event data using sensors that are deployed on targeted systems.
The product also aids in responding to security threats by applying risk analysis metrics to the collected data.
It then prioritizes a threat list based on the organization's specific configurations, patch levels and known vulnerabilities tracked by Symantec through its Global Intelligence Network.
Built-in ticketing and workflow features also help document the response process to quickly remediate threats once they are identified.
Symantec says the tool can help organizations comply with PCI, Sarbanes-Oxley and other regulations using a log storage feature that doesn't need a major investment in hardware or storage. It captures both normalized data and raw event information and allows users to review, conduct analysis and build reports based on the data.
NOTABLE Symantec has recently added anomaly detection, logical grouping and enhanced archiving to this product.
ArcSight Enterprise Security Manager
Readers rated highly ArcSight's Enterprise Security Manager's event correlation features and its ability to map information to an organization's unique set of policies and compliance regulations.
ESM works in conjunction with ArcSight Logger, which collects and normalizes event data and reports on security events based on rules created by the user. The tool is agentless, and uses event source connectors to collect the log data.
The data collected is compressed and stored in a proprietary file-based repository; it can store both normalized and raw event data, according to ArcSight.
The ESM takes the logging data, analyzes it and displays events on the ArcSight console, triggering alerts. ArcSight said its ESM tool also integrates with custom data sources, including home grown applications and physical security systems.
ESM's correlation capabilities can discern events connected to a specific individual and that user's business role and organizational membership. It can associate any IP address-based events with events from the enterprise's physical infrastructure.
NOTABLE ArcSight held its IPO in February and raised $50 million. Stocks were priced on the low end of their $9-$11 projections.
This was first published in April 2008