This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
|What's a SIM?|
The technology goes by a lot of names, but has six basic functions.
Call it what you will: Security Information Management, Security Event Management, or some combination of letters, the difference between SIM, SEM, SEIM and ESM is marketing. Security Information Managers (SIMs) accept security and networking information from multiple sources within the enterprise and analyze it to provide a higher level of understanding.
While products differ in their capabilities, packaging and target users, all SIMs share a common base of six functions. First, SIMs must gather information from devices and systems, typically IDS and IPS events, firewall logs, flow data from routers, results from vulnerability analyzers, Web server logs, and often also Windows log information. The abundance of data from security devices is what gives SIMs the "S" in their acronym, but many SIMs have capabilities that are just as useful to network, server and desktop management teams.
Second, SIMs normalize and store the information they get. Normalizing is the conversion of vendor-specific log formats into a common representation so that key fields, such as IP addresses or times, can be compared. Most SIMs also have a log storage component, acting as a data repository for 30 days to 30 years worth of log files.
Third, SIMs correlate, summarize and analyze log data. This is the strongest area of differentiation between SIMs, as products use a wide variety of techniques to try to take an overwhelming amount of information and boil it down into useful information for the security and network manager.
Fourth, SIMs have a variety of alerting and active response techniques. Again, products differentiate themselves strongly in this function, but the idea in all SIMs is to send alerts on important time-critical information, or in some cases even take some sort of remediation step automatically.
The fifth and sixth functions common to all SIMs are reporting and forensics. Reporting is more of a long-term look at information, such as levels of alerts, traffic statistics, or summaries of different logging information. Forensics is an active tool that a security manager can use to navigate stored log files and research security or network issues.
Better Support for Mid-Market
In our 2004 test, SIMs were squarely focused on the enterprise. Top-rated products typically came with $100,000 or larger price tags and required weeks of consulting to gain full integration. Now the SIM market has products at every price point and designed for almost every size business.
At the low end of the cost scale--free--is Open Source Security Information Management (OSSIM), an amalgamation of open source tools and OSSIM-specific pieces for normalization and consolidation. Delivered as individual components or as a VMware image with everything pre-installed, OSSIM sets a high bar with its capabilities and makes SIM affordable for any business willing to commit the time to installation and customization.
On the commercial front, vendors have pushed hard into the market with other mid-range products. However, creating products for the mid-market isn't just a matter of lower pricing; the needs and requirements of mid-sized businesses differ considerably from those of large enterprises. High Tower Software, eIQnetworks and TriGeo Network Security, for example, specifically size their products for a mid-sized enterprise where the full-time IT staff may be a handful of people--or even a single person in some cases--taking care of everything from firewalls to desktops.
High-end vendors have also been eager to move into a broader swath of the market. For instance, ArcSight, long considered the most enterprise-focused SIM vendor, released products designed to meet the more modest needs of smaller businesses.
A related offering to SIMs, log management, has also seen growth in the past few years. While log management may apply to all levels of enterprises, simple log management tools can provide a great deal of SIM functionality in the mid-range market (See A Fine Line).
This was first published in June 2007