How to get the most out of a SIM

However, a SIM can bring tremendous value by providing total visibility into your security posture, and by leveraging security products you already have. Regulatory compliance has been a top driver for SIM purchases, but there are a number of less obvious advantages that should be considered when selecting a product. The key to realizing the full value of a SIM is to understand all of its advantages and leveraging the product in a way that brings maximum benefit.

In the panoply of functions a SIM can provide, perhaps the foremost is absorbing the bulk of log data from IDS sensors, IPS devices and firewalls. In this sense, a SIM can act as an IDS console, helping navigate through what is normally an overwhelming amount of IDS data. That's easy enough, but that function alone often doesn't provide enough purchase value for organizations that already have an IDS console.

For more information: Join us on June 27th for a special webcast, Taking the next step with security information management with guest speaker Joel Snyder. In this Intrusion Defense Security School lesson, learn how security information and event management can amplify enterprise defense strategies. Visit our Identity and Access Management Security School to learn how to establish and mantain an effective identity and access management plan.

For a greater benefit, look beyond analysis of IDS events and focus on the SIM product's alerting and analysis capabilities. These features will be quickly appreciated by the security team, but other IT staff can find them useful as well. For example, most IDSes have a subset of signatures that help track virus-infected or Trojan-controlled systems. You can use SIM alerts to immediately send infected system data to the organization's help desk, enabling a more proactive approach to tracking and resolving these issues.

A SIM also collects firewall data, which can also be advantageous. How? Your SIM knows who the top talkers and listeners are on the network, and can probably help identify hot spots and hot protocols where some network engineering or bandwidth controls might be useful. When deploying a SIM, bring the network engineering team on board by sharing reports and dashboards that focus on bandwidth usage. A SIM might be the only system in your organization that can give this level of visibility into the network, irrespective of security concerns.

Thinking outside of the traditional security box is a good way to leverage a SIM's correlation engine and normalization capabilities. While SIMs might be focused on the security implications of the data they collect, every log message tells a story -- one that is generally buried in a pile of unrelated minutiae. For example, most devices can emit log messages that presage future failures, such as bad power supplies, fans or failing hard drives. Find those messages using your SIM and you can turn a future emergency failure into a planned maintenance window.

Another potential bonus lies in the piles of typically unexamined logs from Windows and Unix servers. Not every SIM specializes in Windows, but all the good ones are happy to accept Windows event logs, even if they require a conversion to the Syslog log-forwarding standard using a tool like Snare. While most system managers have already developed their own local methods for watching logs, a SIM provides a place to collect these logs, rules, and alerts in a single management console. When leveraging a SIM this way, you can reduce deployment time by eliminating the steps of installing and configuring local log watch tools. And, by cross-correlating events from multiple systems, you may gain greater security visibility than by considering each log one system at a time.

A SIM has to stand or fail on its own merits and for the task you bought it to handle. But taking advantage of the opportunities to leverage a SIM for greater network and system visibility and control will ensure your organization makes the most of its investment.

About the author:
Joel Snyder is a senior partner with Opus One, a consulting firm in Tucson, Arizona. He spends most of his time helping people build larger, faster, safer and more reliable networks. He is a frequent contributor to Information Security magazine and has advised and trained thousands of people privately and at conferences around the world on networking, security, messaging and VPNs.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Enterprise role management: Trends and best practices Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Management Support for Information Security CIO role could shift toward data quality, says IBM group Results Chain for Information Security and Assurance Information Security Blueprint Learn from NIST: Best practices in security program management CISOs adapt as compliance requires strategic thinking The New School of Information Security Security, Privacy Offices Must Combine Resources E-discovery management: How IT should interact with the legal team What controls can compensate when segregation of duties isn't economically feasible? IT GRC: Combining disciplines for better enterprise security Creating and Managing Information Security Policies Security Awareness Training Essential Part of Infosec Program How to lock down instant messaging in the enterprise Worst practices: Bad security incidents to avoid Thompson calls for marriage of data and security management Companies Collecting Too Much Customer Data Increase Exposure Interview: Arizona CISO David VanderNaalt Incident response success in five quick steps Social networking Web site threats manageable with good enterprise policy What controls can compensate when segregation of duties isn't economically feasible? IT GRC: Combining disciplines for better enterprise security Creating and Managing Information Security Policies Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.