SIM (security information management) products have become more accepted as critical components within the network security infrastructure. As such, understanding the criteria for selecting SIMs has become more important. Moreover, in a fast-evolving market segment [SIM becomes SEM (security event manager), becomes SI/EM, becomes …], it's more important to understand the important architectural differences and implementation requirements than the industry acronyms and product names. A wave of consolidation has already begun to hit the SIM market, but the major issues and deployment criteria span brands and individual technologies.
What is a SIM?
A SIM automates collection and analysis of information from all the security components in a network. Rather than having to look at logs and alerts from firewall, IDS, anti-virus, VPN, and other security systems, a security manager can obtain all of this information from a single SIM console. Some SIMs simply aggregate reports from these various components; others correlate the information to improve the quality of overall security information.
There are two key benefits to this data aggregation: First, it reduces the cost and improves the effectiveness of security monitoring. Second, it simplifies and improves reporting of security information for audits in support of regulatory compliance. HIPAA, Sarbanes-Oxley, GLB, and FISMA -- and the consequences of noncompliance -- are prime driving factors in the increased deployment of SIMs.
It's important to briefly consider the difference between SIM, SEM, and anomaly detection software. SIM systems tend to collect information of all sorts from security components. That information includes events, alerts, ongoing status, and full network-traffic capture.
SEM products, on the other hand, tend to focus on the events and alerts in an attempt to improve on IDS (intrusion detection system) functionality. Anomaly detection takes a somewhat different approach: It initially surveys the network to establish a baseline of condition and behavior, then reports on any changes to these patterns.
Some SIMs have adopted elements of anomaly detection in their operation. In fact, the functions of all three product types are rapidly converging. The market movement is clear; the label that will be applied to the resulting class of product is yet to be decided.
How does the SIM get information? The basic question is whether the SIM depends on agents (sometimes called monitors or probes) installed around the network, or does it take its information from the log files and SNMP events generated by the existing network infrastructure. If the product depends on its own agents, it can very tightly tie the input stream to event processing, which can make it somewhat more efficient. If the product depends on log files and SNMP events, it can cast a much wider net (though you must be sure that it can handle the log files produced by your infrastructure devices), and it can be less expensive to deploy.
Some products use a combination of the two architectures, accepting log files and using their own dedicated agents. You must look at the architecture of your network to know whether one approach or the other will provide the most visibility to the SIM.