Organizations overwhelmed by a deluge of security data generated by their networks--and feeling the pressure of regulatory requirements--have turned to security information management (SIM) for relief.
SIM, also referred to as security event management (SEM) or a combination of the two (SIEM), automates the process of monitoring logs from firewalls, IDSes and other devices. SIM systems aggregate, correlate, analyze and store data to give organizations overall visibility into their network security and improve their incident response.
In fact, compliance is making "identity awareness" an important feature for SIM technology, said Trent Henry, an analyst at the Burton Group.
"Past SIEM solutions were quite focused on perimeter infrastructure such as firewalls and IDSes, but with identity management a key component of internal controls, SIEM products are now looking more carefully at identity transactions," Henry said. "This can help organizations keep an eye on critical compliance-related controls, including SOX's requirement for appropriate segregation of duties."
A SIM appliance from Network Intelligence, which was acquired by EMC last September, helps the Independent Electricity System Operator (IESO) in Ontario, Canada, comply with industry security auditing requirements, said Dave Lewis, who heads security at the IESO. The technology demonstrates that IESO staffers are in fact reviewing the security logs.
"This gives us an audit trail," Lewis said. "We can see that they did review their logs and they're taking action on X, Y and Z."
For the Idaho State Tax Commission, SIM helps it to comply with Internal Revenue Service requirements and get a better handle on security events. The commission deployed a SIM appliance from High Tower Software that collects and correlates data from its vulnerability assessment, IDS and other systems, and boils down that information to "actionable items," said Glenn Haar, IT resource manager at the commission.
"Our goal was to get people to the point where they're not mechanics trying to keep the thing running but move them to where they're focusing on dealing with the security issues that are actually coming up," he said.
At Hackley Hospital, a SIM system from TriGeo Network Security allowed network technicians to quickly track down the source of a virus that was preventing users from accessing the Internet.
"It puts a lot of things into one interface," said Andy Busard, information security analyst at the Michigan health-care provider. "It allows us to do things we weren't able to do before."
HIPAA compliance was the initial reason the hospital bought a SIM, Busard said. TriGeo is helping it show auditors that activities such as users logging in remotely are being tracked.
While SIM technology can help on a lot of fronts, it's not without its drawbacks. SIMs can be complex to manage.
"At the end of the day, all they do is report and store data and generate reports and analytics against that data," said Amrit Williams, a former Gartner analyst, now CTO at BigFix. "If you don't have a mechanism for responding to that data, then the cost associated with deploying these technologies can be high and offer limited value." Burton Group's Henry said the problem with a SIM system "becomes the amount of customization required to get the most out of the tool."
Jim Granger, technical director at the Navy Cyber Defense Operations Command, said SIM--like other technologies--requires an initial up-front investment in time and resources but that the payoff is worth it.
"SIMs force you to understand what your business processes are and what your networks look like, but that in itself is a good thing," he said.