Published: 01 Apr 2007
GOLD | ArcSight Enterprise Security Manager
Organizations looking for a security information management (SIM) solution have a lot of vendors to choose from, but ArcSight Enterprise Security Manager stood out from the crowd, according to readers. The product won a gold medal in the SIM category, scoring high marks for its event correlation capabilities, effective management interface and compatibility with existing systems.
ArcSight ESM also scored well in its ability to map information to security policy or compliance regulations, and its granular and flexible policy definitions.
The biggest benefit of ArcSight ESM is its dashboard graphics for analysis of security events, says Tim Maletic, manager of information security at Priority Health, a Michigan-based health insurance company.
The product allows him to easily view events, drill down through various displays and pull data to research events.
In addition to using ArcSight ESM for incident detection and response, Priority Health uses the product to help with various compliance efforts. "It does a good job of recording what you do with the tool," Maletic says.
"I can use that data to back up my incident response policy and other policies we get audited on, and prove we're doing what we say we're doing," he adds.
Maletic says the list of devices ArcSight ESM supports is impressive. Priority Health uses the product to integrate data from IDSes, firewalls, Windows, UNIX and Linux servers, antivirus, and vulnerability assessment systems. The company also is writing customized agents for homegrown applications.
The fine-grained policies ArcSight ESM provides for user management can be a little daunting to set up, but provide valuable flexibility, he says.
Last year, ArcSight bolstered ESM with the release of its Compliance Insight Packages. The packages bundle rules and reports based on ISO 17799 and NIST 800-53 standards to help organizations meet regulatory requirements such as SOX, HIPAA, and the Payment Card Industry (PCI) Data Security Standard.
Also in 2006, ArcSight expanded beyond its core capabilities in security management with its acquisition of ENIRA Technologies, a supplier of technology for automating network management tasks. After the acquisition, ArcSight released Network Response Manager, which automates network responses in order to block worm outbreaks, hacker attacks or other security events, and Network Configuration Manager for automated network discovery and configuration management.
SILVER | NetIQ Security Manager
Price: Console, $2,500
Readers noted NetIQ Security Manager's management interface and compatibility with existing systems, earning it a silver medal.
The product helps organizations cope with compliance and the deluge of security events by consolidating and archiving log and event data. It provides a single system for event correlation, analysis, real-time intrusion protection, and reporting. NetIQ, acquired by Attachmate last year, released last fall NetIQ SM 5.6. It includes an enhanced UI with customized views of data from multiple sources, improved access control to support multiple roles during incident response, and reporting flexibility to allow for creation and viewing of reports based on audience and priority.
BRONZE | Check Point Eventia Suite
Check Point Software Technologies
Check Point Software Technologies' Eventia Suite won the bronze medal, scoring high marks from readers for its ability to map information to security policy or compliance regulations, and its event correlation capabilities.
Eventia also scored well in ROI--readers said they get their money's worth with the product. The Eventia Suite consists of the Eventia Analyzer for real-time security event correlation and Eventia Reporter for historical trend analysis. The suite helps organizations filter security events to zero-in on the ones that matter, respond in real time to incidents, and ease compliance efforts with centralized analysis and reporting.
In the trenches
Tradeoffs to consider with SIMs
SIMs require plenty of up-front work understanding business processes and tuning agents, but the payoff is better security.
Security information management (SIM) systems can be a big help to an organization, but they have their downsides.
While SIMs can help meet audit requirements and improve incident response, they can be complex to deploy and difficult to manage. There may be agents that need tuning, false positives to sort out, and reports to run--all of which require resources. Some organizations have one or more engineers devoted full time to a SIM.
Jim Granger, technical director at the Navy Cyber Defense Operations Command, says SIMs are like any other technology in that they require an up-front investment of time and resources. And not just anyone can implement them; skilled technicians are needed.
"SIMs force you to understand what your business processes are and what your networks look like, but that in and of itself is a good thing," he says.
When first installed, SIMs can generate a lot of security events that don't need attention, but tuning the system for a specific environment helps resolve that problem, says Dave Daniels, network security engineer at PPD, a global contract research firm serving pharmaceutical and other organizations. The company installed a SIM from Q1 Labs that combines SIM with anomaly-based detection technology.
"The more it knows about your network the better," he says.
The payoff is streamlined security monitoring that makes it easier to track and analyze virus outbreaks, according to Daniels.
Security managers advise others to take the time to understand their needs before leaping into a SIM purchase.
"They really have to understand what their requirements are and map it to the products that they're after," says Dave Lewis, head of security at the Independent Electricity System Operator in Ontario, Canada.
"Don't worry about what vendor you're dealing with. Worry about what you actually need. ...If you don't understand what you actually need, you're going to get a mess," Lewis says.
Likewise, Glenn Haar, IT resource manager at the Idaho Tax Commission, advises organizations to figure out what they want to accomplish before looking at specific SIM products. His firm studied its compliance and security needs before choosing High Tower Software's appliance.
"We didn't look at the product first. We talked about what our business goals were first," he says. "If you get your education from vendors, typically they educate you the way they want you to understand the world. Next thing you know, their product is the perfect fit."