This article can also be found in the Premium Editorial Download "Information Security magazine: Symantec 2.0: Evaluating their recent acquisitions."
Download it now to read this article plus other related content.
SECURITY INFORMATION MANAGEMENT
REVIEWED BY BRENT HUSTON
Price: Costs $126,900 for 7550-HA for medium to large
System logs contain a treasure trove of valuable security information; in fact, there's so much information that a large organization would need a whole team dedicated solely to reading and analyzing logs. Early security information management (SIM) systems took a major step to cut this job down to size, but they still required a large commitment of human resources and were burdened by hard-to-configure data collection. However, SIM products such as Network Intelligence's enVision have matured into powerful, manageable tools that analyze this enormous volume of data to deliver relevant and usable security information.
With the help of the onsite engineers provided during a typical installation, we had the enVision 7550-HA model (for medium to large enterprises) system running and collecting data in a few hours. The hardware itself is quite powerful, capable of collecting more than 7,500 events per second. This speed is helped by the use of a unique data storage system: Instead of a typical relational database, enVision's proprietary LogSmart IPDB stores all log files in native format, generates metadata to speed retrieval and compresses logs to increase available storage space.
A single Web-based management interface provides access to the dashboard as well as reporting and device configuration.
Logs are received primarily through syslog, although other methods are supported for a number of devices and software, including Check Point Software Technolo-gies and Cisco Systems products. Also, an enVision script can be used to upload logs in other formats to the enVison appliances, which converts them to syslog; you can also import vulnerability data. Setting up an event source can take some work on the log-generating device, and in pointing the syslog function to the Network Intelligence appliance.
We ran several log-based data feeds into enVision for several weeks to create a baseline, then dove into the interface, which gives you numerous ways to present and analyze data. The real-time configurable dashboard presents a highly customizable view of your current network activity at a glance, such as events within the last few hours, bandwidth usage and recent alerts.
Highly configurable alerting allows you to set up correlated alerts based on trigger conditions, including time parameters, such as "a user has five failed authentications in 30 seconds." Powerful and flexible custom correlation rules are easy to create using different sources, including host, network, security and storage devices. This is important for organizations that need more than packaged rules allowing you to tailor alerts.
Views can be configured to contain any number of devices, enabling us to see just where in the network alerts occurred without having to examine the logs.
Reports can be generated to show any fields of data from the collected logs. While setting up and generating these custom reports can be time-consuming, basic templates facilitate the task and may be sufficient for some organizations. In addition, Network Intelligence packages several useful regulatory compliance reporting templates, such as HIPAA, Sarbanes-Oxley and PCI.
Typical reports include top infected systems (from McAfee, Symantec or Trend Micro); firewall information data (bandwidth, denied hosts per hour, denied outbound traffic) and Windows reports (shutdown/restarts, file access, application errors, policy changes).
enVision offers excellent value, especially for a growing company expecting greater performance requirements in the future. It's highly configurable, though you have to put a lot into it to get the most out of it.
Testing methodology: We fed enVision Windows Event logs (from a domain controller), as well as Linux system logs and Oracle data, running it for several weeks to create a baseline.
*EMC announced its acquisition of Network Intelligence in September 2006.
This was first published in November 2006