How to get the most out of a SIM

However, a SIM can bring tremendous value by providing total visibility into your security posture, and by leveraging security products you already have. Regulatory compliance has been a top driver for SIM purchases, but there are a number of less obvious advantages that should be considered when selecting a product. The key to realizing the full value of a SIM is to understand all of its advantages and leveraging the product in a way that brings maximum benefit.

In the panoply of functions a SIM can provide, perhaps the foremost is absorbing the bulk of log data from IDS sensors, IPS devices and firewalls. In this sense, a SIM can act as an IDS console, helping navigate through what is normally an overwhelming amount of IDS data. That's easy enough, but that function alone often doesn't provide enough purchase value for organizations that already have an IDS console.

For more information: Join us on June 27th for a special webcast, Taking the next step with security information management with guest speaker Joel Snyder. In this Intrusion Defense Security School lesson, learn how security information and event management can amplify enterprise defense strategies. Visit our Identity and Access Management Security School to learn how to establish and mantain an effective identity and access management plan.

For a greater benefit, look beyond analysis of IDS events and focus on the SIM product's alerting and analysis capabilities. These features will be quickly appreciated by the security team, but other IT staff can find them useful as well. For example, most IDSes have a subset of signatures that help track virus-infected or Trojan-controlled systems. You can use SIM alerts to immediately send infected system data to the organization's help desk, enabling a more proactive approach to tracking and resolving these issues.

A SIM also collects firewall data, which can also be advantageous. How? Your SIM knows who the top talkers and listeners are on the network, and can probably help identify hot spots and hot protocols where some network engineering or bandwidth controls might be useful. When deploying a SIM, bring the network engineering team on board by sharing reports and dashboards that focus on bandwidth usage. A SIM might be the only system in your organization that can give this level of visibility into the network, irrespective of security concerns.

Thinking outside of the traditional security box is a good way to leverage a SIM's correlation engine and normalization capabilities. While SIMs might be focused on the security implications of the data they collect, every log message tells a story -- one that is generally buried in a pile of unrelated minutiae. For example, most devices can emit log messages that presage future failures, such as bad power supplies, fans or failing hard drives. Find those messages using your SIM and you can turn a future emergency failure into a planned maintenance window.

Another potential bonus lies in the piles of typically unexamined logs from Windows and Unix servers. Not every SIM specializes in Windows, but all the good ones are happy to accept Windows event logs, even if they require a conversion to the Syslog log-forwarding standard using a tool like Snare. While most system managers have already developed their own local methods for watching logs, a SIM provides a place to collect these logs, rules, and alerts in a single management console. When leveraging a SIM this way, you can reduce deployment time by eliminating the steps of installing and configuring local log watch tools. And, by cross-correlating events from multiple systems, you may gain greater security visibility than by considering each log one system at a time.

A SIM has to stand or fail on its own merits and for the task you bought it to handle. But taking advantage of the opportunities to leverage a SIM for greater network and system visibility and control will ensure your organization makes the most of its investment.

About the author:
Joel Snyder is a senior partner with Opus One, a consulting firm in Tucson, Arizona. He spends most of his time helping people build larger, faster, safer and more reliable networks. He is a frequent contributor to Information Security magazine and has advised and trained thousands of people privately and at conferences around the world on networking, security, messaging and VPNs.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Enterprise Data Protection,   Enterprise Data Governance,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   Business Management: Security Support and Executive Communications,   Data Loss Prevention,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Preventing SQL injection attacks: A network admin's perspective Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.