This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
Stronger Rule Technology
The heart of most SIMs is a set of business rules that help tune the correlation engine and identify what log data, events and security problems are worthy of alerts or active responses. In our 2004 testing, we found that most products had a small set of rules that were inadequate starting points.
In that test, SIM vendor OpenService stood apart with a rule-free approach to correlation, and hasn't changed its approach. No one else has entered that lonely niche. The opposite seems to be true; SIM vendors, particularly those supplying mid-range appliances, have responded with much stronger business rules out-of-the-box aimed at speeding deployment and sharing the considerable expertise they've gained in what works in a SIM.
For example, High Tower ships its SEM appliance with a set of 65 "mega-rules" that catch everything from unauthorized MySpace.com visits to successful brute-force logins.
Vendors also are enhancing their tools for building rules. TriGeo, which ships its SIM with more than 500 starting point rules, has an elegant rule definition tool that actively encourages the security manager to creatively add protections and alerts within the SIM, rather than making definition of rules an onerous task. Although TriGeo outwardly aims at networks of 100 to 150 devices, the business rule features in its SIM are so well designed that they put to shame this aspect of many other SIMs.
This was first published in June 2007