This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."
Download it now to read this article plus other related content.
It actually adds up when you combine SIM and NBA.
Do you really know what your network and security infrastructure is trying to tell you?
On one hand, you may want to invest in one of the increasingly sophisticated SIM/SEM products, which can collect, correlate and analyze data from hundreds of devices and applications. On the other, your network and security people may lust after one of the network-based analysis (NBA) tools, which process flow data to help monitor and regulate network health and sound the alarm when anomalous behavior signals a possible security issue.
Or, you can have both in one package.
The recent announcement that Mazu Networks (NBA) and eIQnetworks (SIM) are collaborating on an integrated product underscores the trend toward convergence in these markets.
"This was something we were hearing from our customers," says Charles Kaplan, chief technology strategist at Mazu. "They are using Mazu to triage events from their SIM, swiveling between them."
"We see customers looking at two different solutions independently, so we're working on integration," says Vijay Basani, eIQnetworks CEO. "We realized it would be great to combine eIQ data--configurations, assets, vulnerabilities, etc.--with flow data."
The numerous partnerships between sundry SIM and NBA vendors clearly indicate there's a market for this natural marriage of technologies. And there are already a handful of integrated tools on
It just makes good sense--it's all about information. Just as SIMs crunch gigs of information from device and application logs, NBAs analyze native traffic data from NetFlow, sFlow and others. The value proposition is clear: two useful network/security data analysis tools in one integrated package.
"Clearly, our network team and security group work in conjunction. Basically, we wanted a solution that supported both realms," says Reggie McKee, information security engineer for the New York Board of Trade. Using QRadar "saves time, and lets them work together. We save money with one instead of two different solutions."
In addition, you get more and better security information: log- and network-based tools can tell you about issues the other might miss. Further, one can corroborate the other, reducing false positives.
"Customers we see using these capabilities are really awakening to the fact you can have not only traditional security mechanisms such as syslog," says Matt Rodgers, product marketing manager for Cisco MARS, "but leverage things like NetFlow to get the essentially 1+1=3 combination."
This was first published in September 2007