This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
|A Fine Line|
It isn't always easy to tell the difference between log managers and SIMs.
Depending on the data your network is generating and what you want to do with it, a full-blown SIM may be overkill. Closely related to SIMs are log managers. In fact, they're so closely related that many SIM vendors sell a slightly stripped-down version of their SIM as a log management tool, pulling out correlation and summarization features and beefing up storage.
Log management products include freeware tools such as Unix's SYSLOG daemon, low-cost SYSLOG-focused products such as Kiwi Enterprises' Syslog Daemon, and more advanced tools like software from Splunk and appliances from LogLogic.
Distinguishing SIMs from log managers is difficult, and will become more difficult, since log managers fulfill many functions of SIMs and vice versa. Log management vendors are already starting to step on the toes of SIM vendors as they add capabilities to their product lines. In some cases, SIMs require a separate log management system because they don't store more than a few weeks worth of data.
Fundamentally, log managers emphasize long-term storage and searching of log data, while SIMs focus more on correlating log data and providing summary information. However, a product design goal may dictate a particular set of features and certainly is making the line between log management and SIM very fuzzy.
Broader Sources of Information
SIMs traditionally started with IDS alerts as their main drivers of information, mostly because network managers saw room for improvement in their IDS management consoles. Every SIM still is expected to deal with IDS information--and some do little more than that, adhering very strictly to the idea of the IDS as the main driver of security information. We found, though, that a number of SIMs are reaching far beyond IDSes to other sources of security information within the enterprise.
Two factors are driving this trend. Compliance pressure is one. For example, regulations such as Sarbanes-Oxley requires that security events be captured and audited according to strict process controls, while HIPAA requires that suspicious behaviors and security breaches be identified and researched. Bringing in a SIM as a compliance toolkit can ease the burden of complying with these requirements, but you get much more bang for your buck if you can throw many different types of log information into the SIM. SenSage, for instance, has focused on adding in not just IDS and firewall logs, but logs from ERP applications, database servers, and popular vertical market tools such as Cerner's Health Care IT applications. ArcSight has followed the same path, with a toolkit and market awareness campaign designed around insider threats that a SIM can help catch.
The second source of pressure comes from the Windows world, where an increasing integration of network, security and Windows responsibilities has made a SIM an obvious place to bring together all three types of log and alerting information. NetIQ Security Manager, for instance, can not only capture information from Windows systems but also take direct remediation actions, such as stopping an unauthorized application. NetIQ has had Windows strength for years, but eIQnetworks and TriGeo also trumpet their Windows-specific capabilities and functionality.
This was first published in June 2007