Security event managers rule the roost

You operate the 9550 using Web and Java interfaces. Unfortunately, the Java virtual machine used by Symantec is Windows-specific. Whereas the interface is well-designed and organized, the dashboard is sort of a look-but-don't-touch display: Clicking on the graphics, for example, won't allow you to drill down. If you move to the graphs that support the dashboard, however, you can drill down from there -- so although the dashboard display is inconvenient, it's not the big hurdle it might seem.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

The Symantec 9550 has some powerful SEM capabilities and is quite good, especially for smaller organizations where scalability isn't a concern. With its links to DeepSight and LiveUpdate, Symantec has the potential to make some major strides in managing security for large enterprises.

SEM selection: No simple task

Choosing a security event manager is not a task to be taken lightly. The SEM will have access to your company's most intimate details, and it will affect every aspect of your company's daily life. It must be capable of collecting information from any device on your network, of churning through high volumes of network activity, and of identifying meaningful events -- real security threats or policy violations -- in a sea of noise.

In these respects, all three solutions deliver the goods. Whichever of these SEMs you choose, you'll no doubt find that it will talk to anything you need it to. Network Intelligence and e-Security did the best job of this in our test, although Symantec deserves kudos for providing a solid tool for designing custom collectors.

Similarly, all three SEMs adequately identified meaningful events among all of the activity on our test network; they even discovered an incompletely configured DNS server we were unaware of before testing. The important differences we found were in ease-of-use, manageability, and scalability. In these respects, e-Security Sentinel and the Network Intelligence 7550-HA held the edge.

In addition to providing the best user interfaces and reporting features, e-Security Sentinel and the Network Intelligence 7550-HA can handle a heavy transaction load. Ultimately, the scalable architectures of these two solutions should also result in more powerful correlation capabilities because they are capable of taking more data into account.

This is not, however, to suggest that the Symantec solution is unsuitable. If Symantec's global intelligence service and automated updating are vital because your company has global exposure, then its somewhat lower level of performance might not be a problem.

In short, all of these products get the job done. The one that's best for your company will depend very much on your organization's size, scope, and security needs.

Editor's note: The original version of this article included reviews of ArcSight Enterprise Security Manager 3.0 and Micromuse Netcool/NeuSecure 3.0. Because inaccuracies regarding the features and capabilities of the ArcSight and Micromuse products may have compromised their evaluations, we have removed these products from the review.