Home > Information Security Magazine > Hot Pick & Product Reviews > Security information management review: Network Intelligence's enVision
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Security information management review: Network Intelligence's enVision
Issue: Nov 2006
printer-friendly

SECURITY INFORMATION MANAGEMENT


enVision
REVIEWED BY BRENT HUSTON

Network Intelligence*
Price: Costs $126,900 for 7550-HA for medium to large enterprises

[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]

System logs contain a treasure trove of valuable security information; in fact, there's so much information that a large organization would need a whole team dedicated solely to reading and analyzing logs. Early security information management (SIM) systems took a major step to cut this job down to size, but they still required a large commitment of human resources and were burdened by hard-to-configure data collection. However, SIM products such as Network Intelligence's enVision have matured into powerful, manageable tools that analyze this enormous volume of data to deliver relevant and usable security information.

Configuration B
With the help of the onsite engineers provided during a typical installation, we had the enVision 7550-HA model (for medium to large enterprises) system running and collecting data in a few hours. The hardware itself is quite powerful, capable of collecting more than 7,500 events per second. This speed is helped by the use of a unique data storage system: Instead of a typical relational database, enVision's proprietary LogSmart IPDB stores all log files in native format, generates metadata to speed retrieval...



and compresses logs to increase available storage space.

A single Web-based management interface provides access to the dashboard as well as reporting and device configuration.

Logs are received primarily through syslog, although other methods are supported for a number of devices and software, including Check Point Software Technolo-gies and Cisco Systems products. Also, an enVision script can be used to upload logs in other formats to the enVison appliances, which converts them to syslog; you can also import vulnerability data. Setting up an event source can take some work on the log-generating device, and in pointing the syslog function to the Network Intelligence appliance.

Alerting B+
We ran several log-based data feeds into enVision for several weeks to create a baseline, then dove into the interface, which gives you numerous ways to present and analyze data. The real-time configurable dashboard presents a highly customizable view of your current network activity at a glance, such as events within the last few hours, bandwidth usage and recent alerts.

Highly configurable alerting allows you to set up correlated alerts based on trigger conditions, including time parameters, such as "a user has five failed authentications in 30 seconds." Powerful and flexible custom correlation rules are easy to create using different sources, including host, network, security and storage devices. This is important for organizations that need more than packaged rules allowing you to tailor alerts.

Views can be configured to contain any number of devices, enabling us to see just where in the network alerts occurred without having to examine the logs.

Reporting B+
Reports can be generated to show any fields of data from the collected logs. While setting up and generating these custom reports can be time-consuming, basic templates facilitate the task and may be sufficient for some organizations. In addition, Network Intelligence packages several useful regulatory compliance reporting templates, such as HIPAA, Sarbanes-Oxley and PCI.

Typical reports include top infected systems (from McAfee, Symantec or Trend Micro); firewall information data (bandwidth, denied hosts per hour, denied outbound traffic) and Windows reports (shutdown/restarts, file access, application errors, policy changes).

Verdict
enVision offers excellent value, especially for a growing company expecting greater performance requirements in the future. It's highly configurable, though you have to put a lot into it to get the most out of it.


Testing methodology: We fed enVision Windows Event logs (from a domain controller), as well as Linux system logs and Oracle data, running it for several weeks to create a baseline.
*EMC announced its acquisition of Network Intelligence in September 2006.





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts