When selecting a security information and event management tool for your organization, evaluate it against this checklist.
Security information management also referred to as SIM, is one of the fastest-growing enterprise security domains.
Given the increase in the volumes of operational information streaming back and forth within organizations, the dedicated staff is no longer able to handle it manually.
The SIM technology emerged as a response to IT managers’ need for automating the process of collecting, monitoring and analyzing event log data from security devices in large business networks.
The present-day security information and event management tools leverage the best practices of data aggregation and event correlation to sort through logs generated by proxy servers, routers, switches, firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and antimalware suites.
A significant benefit has to do with normalization features tasked with converting different types of reports into a unified format, typically XML, so that they can be further processed and analyzed within an all-in-one console.
Aside from streamlining the process of collecting event logs as well as vulnerability and configuration reports, the industry’s top SIM solutions accommodate real-time alerting mechanisms and active response features that take their functionality well beyond commonplace data harvesting.
Security information management systems are complex and heterogeneous mechanisms that need to be fine-tuned to the specific enterprise environment and work in tandem with the organization’s existing security policies.
Although the decision-making part ultimately boils down to a human being, SIM can thwart well-orchestrated attacks against any organization and considerably enhance the efficiency of incident response if deployed correctly.
There are plenty of commercial and open-source SIM products on the market, including Network Intelligence’s enVision, Cisco Security MARS, Prism Microsystems EventTracker, Symantec Security Information Manager, TriGeo Network Security, and much more.
When selecting a security information and event management tool that best fits your organization’s needs, it makes sense to evaluate it against a checklist of several important criteria.
Below are some of the questions that IT executives should ask the vendor when picking a worthwhile SIM product.
How Does the Solution Scale?
The product's ability to handle big volumes of data is an important factor, especially when it comes to safeguarding a large corporate environment. To start with, IT managers should have accurate information on the number of devices that they want to collect event logs from.
An important attribute to look at is the quantity of events per second that the SIM tool can capture, process and store in a proper way. Some vendors may require that the customer provides extra storage space or outsource some of the log data archiving to third-party services. All in all, knowing whether or not the system can manage your IT infrastructure is imperative.
Is the SIM Compatible With Third-Party Security Products, IDS Systems, and Databases?
Since the security information management system will complement the existing threat management and risk mitigation strategies within the enterprise, it’s crucial to make sure that there will be no software conflicts and compatibility issues.
Therefore, it’s a good idea to scrutinize the product’s compatibility with the installed antimalware, intrusion detection and prevention systems, vulnerability management technology and other defense solutions. The reason is obvious. IT supervisors need to ascertain that the automated SIM engine can harvest, aggregate and correlate the data generated by these different systems to get the big picture of the overall security posture.
In addition to the criterion of third-party software support, it’s also important to find out whether the vendor provides a developer kit that allows the client to create custom integrations.
Does the Tool Accommodate Log Management Features?
Whereas compliance policies and regulations may be indistinct regarding the way that the organization must maintain logs from monitored devices, SIM solutions should deliver a one-size-fits-all functionality in terms of managing and archiving log data.
Of course, these requirements are more rigid for financial institutions that need to comply with PCI DSS (Payment Card Industry Data Security Standard) and for enterprises that must follow SOX (Sarbanes-Oxley Act) regulations, but there is a certain degree of log managing and archiving obligation in either scenario.
Professional IT managers will certainly favor a SIM product that’s more flexible in this regard. Ideally, they should be able to configure the scope of event log data to collect, as well as the volume thereof to be archived.
Can the System Produce Real-Time Alerts Based on Complex Conditions?
Another rule of thumb to keep in mind when choosing a SIM product is to make sure it can correlate ostensibly unrelated events throughout the corporate IT infrastructure and determine whether or not they are components of the same threat. The contemporary malicious code can be polymorphic, where infections combine behavioral attributes of multiple unrelated threats.
Consequently, complex events occurring in different parts of the company’s digital environment may indicate the activity of an advanced persistent threat that obfuscates its presence. Incidentally, that’s how cybercriminals carry out industrial espionage, which is any organization’s worst nightmare.
Attacks of that sort can last for months or even years unless identified. With a sophisticated security information management system in place, it should be possible to raise some red flags on suspicious nested conditions and upset the adversary by eradicating all stealthy malware fragments.
Does the SIM Tool Feature Active Response Functionality?
The solution should exhibit a fair degree of intelligence when it comes to taking action based on the event log data from security components of the organization’s IT environment. An example would be repeated instances of someone trying to access a corporate web server with wrong credentials, in which case the SIM would block the suspicious traffic.
In the meanwhile, active response modules should function within reasonable bounds. It's a questionably good idea to sacrifice the performance of the entire enterprise network just to thwart a possible breach or spyware attack. The security information management system should be selective as to where to block traffic so that the company can operate normally.
Related Article:Lock It Up: How to Ace Email Security in 2016
Again, a SIM product is intended to be a critical addition to the general security posture of an organization. It gathers logs from various security components, including firewalls and antivirus software, and thus facilitates the process of making the right decision on the IT supervisors’ end, although some scope of automatic real-time response is in place as well.
Back in the day, security information management products were chiefly used by large businesses with thousands of employees. The fact that SMBs have now come to employ these systems as well is certainly a good sign that the industry is on the right track. If you are a business owner, be sure to examine the above criteria and pick the SIM tool that will help your security team stay on top of what’s going on in your digital environment.