This article can also be found in the Premium Editorial Download "Information Security magazine: Security Products Readers' Choice Awards 2007."
Download it now to read this article plus other related content.
In the trenches
Tradeoffs to consider with SIMs
SIMs require plenty of up-front work understanding business processes and tuning agents, but the payoff is better security.
Security information management (SIM) systems can be a big help to an organization, but they have their downsides.
While SIMs can help meet audit requirements and improve incident response, they can be complex to deploy and difficult to manage. There may be agents that need tuning, false positives to sort out, and reports to run--all of which require resources. Some organizations have one or more engineers devoted full time to a SIM.
Jim Granger, technical director at the Navy Cyber Defense Operations Command, says SIMs are like any other technology in that they require an up-front investment of time and resources. And not just anyone can implement them; skilled technicians are needed.
"SIMs force you to understand what your business processes are and what your networks look like, but that in and of itself is a good thing," he says.
When first installed, SIMs can generate a lot of security events that don't need attention, but tuning the system for a specific environment helps resolve that problem, says Dave Daniels, network security engineer at PPD, a global contract research firm serving pharmaceutical and other organizations. The company installed a SIM from Q1 Labs that combines SIM with anomaly-based detection
"The more it knows about your network the better," he says.
The payoff is streamlined security monitoring that makes it easier to track and analyze virus outbreaks, according to Daniels.
Security managers advise others to take the time to understand their needs before leaping into a SIM purchase.
"They really have to understand what their requirements are and map it to the products that they're after," says Dave Lewis, head of security at the Independent Electricity System Operator in Ontario, Canada.
"Don't worry about what vendor you're dealing with. Worry about what you actually need. ...If you don't understand what you actually need, you're going to get a mess," Lewis says.
Likewise, Glenn Haar, IT resource manager at the Idaho Tax Commission, advises organizations to figure out what they want to accomplish before looking at specific SIM products. His firm studied its compliance and security needs before choosing High Tower Software's appliance.
"We didn't look at the product first. We talked about what our business goals were first," he says. "If you get your education from vendors, typically they educate you the way they want you to understand the world. Next thing you know, their product is the perfect fit."
This was first published in April 2007