Security event managers rule the roost

Sentinel depends on its message bus, which works with its correlation engine to allow for high-speed event correlations. According to e-Security, Sentinel can operate at speeds above 6,000 events per second on a single machine, plenty fast enough to handle normal enterprise demands.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Version 5.1 adds Control Packs, applications that run on top of Sentinel, improve usability, and offer additional features. For example, the compliance Control Packs include agents, correlation rules, and process templates to address compliance with regulations such as Sarb-Ox, HIPAA, or PCI. (Of course, e-Security is not alone here; all of the vendors in this roundup offer compliance-oriented features.)

You can integrate e-Security Sentinel with existing trouble-ticket or help-desk products, and it works with most vulnerability scanners and virtually every IDS and firewall. iTrac allows you to integrate workflows such as event and vulnerability remediation, trouble-ticket tracking, and more, reducing the chance for errors. In addition, it can cross-map between vulnerability scanners and your IDS to evaluate potential threats, and it includes an advisor that will offer remedies for security problems.

We were impressed with Sentinel's speed, flexibility, and capacity. Its clear displays not only give you the big picture but also deliver any level of detail you want with a few mouse clicks. Sentinel has only become easier to use and integrate into your enterprise; if you need an SEM, you can't go wrong here.

Network Intelligence 7550-HA

Network Intelligence built the HA series of SEM appliances for speed, and it shows. The midrange 7550 we tested can handle steady streams of 7,500 events per second, and it can handle bursts above 9,000.

It's important to note that the three speed limits on this box -- 2,500, 5,000, and 7,500 events per second -- are license-driven and that you can upgrade with a relatively quick license change. In fact, because the hardware event-processing speed is modular, it will handle event bursts that exceed your events-per-second license limit. A company representative said Network Intelligence would never allow license limits to cause events to be dropped, so you get all of the capability and speed of the more powerful device for less money if you have a smaller network.

One reason for this speed is Network Intelligence's nonrelational database. The proprietary database is designed specifically for gathering and storing security events as quickly as possible. The 7550 doesn't use a relational database, so it can compress collected data by 95 percent. Also, the database isn't normalized, so no event data is lost. Each event receives a digital fingerprint to prove the chain of custody.

A unique feature of the 7550-HA is system baselining. The 7550-HA learns the enterprise's normal operational characteristics and can raise alarms if normal parameters are violated. This is especially useful in zero-day attacks, where the signatures necessary to detect the threat don't yet exist.

In addition to being fast, the 7550-HA appliance can detect "low-and-slow" attacks. Events are stored for correlation for 30 hours, so security events that happen only occasionally, such as a bad user or password entry from a single IP address outside the network, are still picked up and monitored to ensure they aren't under-the-radar break-in attempts. Although other SEMs have similar capabilities, only the 7550 retains events in active memory for such a long time.

The 7550-HA's enVision management software uses a speedometer and gauge metaphor to display important information at a glance, with more detailed data only a click away. Much of the background information is displayed as charts and graphs in the well-organized and well-designed interface.

As does e-Security Sentinel, the Network Intelligence appliance can set permissions for different levels of users, as well as individual permissions so that console operators can see only the tasks they're permitted to perform. Network Intelligence also added a complete set of compliance reporting and monitoring functions to the latest version of the 7550-HA.

The 7550-HA is easy to use, easy to implement, and blazingly fast. It should meet any enterprise's security management needs.

Symantec Security Information Manager 9550 Appliance

Symantec's new appliance enters a very competitive market with a capability that nothing else can match -- a complete subscription to the company's impressive DeepSight Threat Management System. The DeepSight global security service gives the 9550 access to intelligence about security events happening elsewhere around the world.

Aside from the DeepSight connection, Symantec's appliance includes IBM's DB2 relational database, a terabyte of storage, and support for external storage and external databases.

You can use both your vulnerability scanner and DeepSight to determine your risk exposure and the business impact of security events. Symantec also includes the company's LiveUpdate feature, which will keep the 9550 constantly updated with the latest security alerts and advisories.

As delivered, the 9550 can collect and store as many as 3,000 events per second -- an average rate -- but its correlation engine can handle 21,000. It scales reasonably well, although the only means of scaling is to buy more hardware. Larger enterprises can choose to bolster the 9550 with less-expensive 9500 collection engines.