However, a SIM can bring tremendous value by providing total visibility into your security posture, and by leveraging security products you already have. Regulatory compliance has been a top driver for SIM purchases, but there are a number of less obvious advantages that should be considered when selecting a product. The key to realizing the full value of a SIM is to understand all of its advantages and leveraging the product in a way that brings maximum benefit.
In the panoply of functions a SIM can provide, perhaps the foremost is absorbing the bulk of log data from IDS sensors, IPS devices and firewalls. In this sense, a SIM can act as an IDS console, helping navigate through what is normally an overwhelming amount of IDS data. That's easy enough, but that function alone often doesn't provide enough purchase value for organizations that already have an IDS console.
For a greater benefit, look beyond analysis of IDS events and focus on the SIM product's alerting and analysis capabilities. These features will be quickly appreciated by the security team, but other IT staff can find them useful as well. For example, most IDSes have a subset of signatures that help track virus-infected or Trojan-controlled systems. You can use SIM alerts to immediately send infected system data to the organization's help desk, enabling a more proactive approach to tracking and resolving these issues.
A SIM also collects firewall data, which can also be advantageous. How? Your SIM knows who the top talkers and listeners are on the network, and can probably help identify hot spots and hot protocols where some network engineering or bandwidth controls might be useful. When deploying a SIM, bring the network engineering team on board by sharing reports and dashboards that focus on bandwidth usage. A SIM might be the only system in your organization that can give this level of visibility into the network, irrespective of security concerns.
Thinking outside of the traditional security box is a good way to leverage a SIM's correlation engine and normalization capabilities. While SIMs might be focused on the security implications of the data they collect, every log message tells a story -- one that is generally buried in a pile of unrelated minutiae. For example, most devices can emit log messages that presage future failures, such as bad power supplies, fans or failing hard drives. Find those messages using your SIM and you can turn a future emergency failure into a planned maintenance window.
Another potential bonus lies in the piles of typically unexamined logs from Windows and Unix servers. Not every SIM specializes in Windows, but all the good ones are happy to accept Windows event logs, even if they require a conversion to the Syslog log-forwarding standard using a tool like Snare. While most system managers have already developed their own local methods for watching logs, a SIM provides a place to collect these logs, rules, and alerts in a single management console. When leveraging a SIM this way, you can reduce deployment time by eliminating the steps of installing and configuring local log watch tools. And, by cross-correlating events from multiple systems, you may gain greater security visibility than by considering each log one system at a time.
A SIM has to stand or fail on its own merits and for the task you bought it to handle. But taking advantage of the opportunities to leverage a SIM for greater network and system visibility and control will ensure your organization makes the most of its investment.
About the author:
Joel Snyder is a senior partner with Opus One, a consulting firm in Tucson, Arizona. He spends most of his time helping people build larger, faster, safer and more reliable networks. He is a frequent contributor to Information Security magazine and has advised and trained thousands of people privately and at conferences around the world on networking, security, messaging and VPNs.
This was first published in June 2007