This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
SIM & storage
Determining how much storage you'll need before buying a SIM depends on several factors. Two key ones are how many devices will be reporting into the SIM, and your company's data retention policies.
|Agent vs. agentless approaches|
by Joel Snyder
Although Windows has a common logging system for applications, getting log entries to a SIM isn't a natural operation. To export log information, you need to either give the SIM sufficient credentials to pull the logs using existing Windows APIs, or add an agent that pushes logs off the Windows systems to the SIM.
For some network managers, the "pull" method -- often called agentless -- has a huge benefit that overrides any defect: you don't have to install software on the system from which you want to gather logs. However, with pull strategies, log information is generally limited to the Windows Event Log. Moreover, giving the SIM sufficient credentials to gather logs can be disconcerting.
With an agent you install, the SIM is up-to-date and--depending on the smarts in the agent--may have access to a greater variety of performance and security information than just the Event Log. Some vendors write their own agents while others have chosen to use syslog as the protocol of choice, suggesting an agent that simply translates Windows Event Log entries to syslog events.
Joel Snyder is senior partner at consultancy Opus One and a technical editor of Information Security.
ArcSight found that in many cases, customers underestimated their storage requirements because they ultimately wanted a lot more devices feeding data into the SIM than they originally planned, said Steve Sommer, senior vice president of marketing and business development.
Storage requirements also vary depending on how many days, weeks or months a company wants to retain data, and what they plan to keep.
"Do they want to collect every single event and log, or do some filtering of data that isn't relevant for compliance or security?" Sommer asked. "That can affect the storage by several factors."
Sunil Rath, director of systems engineering at netForensics, estimates that a 500 MB hard drive disk can store roughly 1 million security events. He agreed, however, that storage requirements depend on the client's retention policy and device message volume.
The National Institute of Standards and Technology (NIST) recently released guidance for computer security log management--Draft Special Publication 800-92--which Sommer says should help the industry. The document includes guidelines on managing long-term data storage.
This was first published in September 2006