Where will the information be processed? In a network of any size, the SIM will be dealing with a large quantity of data. Precisely where and how the data is processed will be key to knowing whether a particular SIM can keep up with the data generated by your network. Almost all SIMs have two primary components for the creation and presentation of information: the SIM appliance itself and a dashboard application running on a remote workstation. If all the information is processed in either the appliance or the dashboard workstation, performance can become an issue when either network traffic or incidents become high in density. Ask about where data is processed and whether the processing is split between two (or more) systems. Delayed security information can result in falling victim to an attack that you might have survived.
How will the information be correlated? All SIMs gather information from the sources within the network. Some will gather information from external sources as well, ranging from public threat identification services to proprietary correlation networks. Beyond eliminating the need for your security engineer to open 93 windows on his or her workstation just to keep up with log files, a SIM, to a great extent, adds value with its capability of finding patterns in network traffic. This activity requires two primary traits: the capability of gathering data from a various places and the intelligence to turn all that data into meaningful information. Both are critical. Just as the SIM must draw information from all of the important components of your network, the correlation data must come from sources you trust.
How are reports generated? It's one thing to be notified that unauthorized activities are happening on the network. It's another thing entirely to convince less security-savvy network management to do anything about it. You want your SIM to be capable of generating reports to support your call for action -- and to generate them quickly. If the product comes with prepackaged reports that you can modify to provide the information specific to your organization and incident, then you're way ahead of the game.
Prepackaged reports are critically important time-savers when it comes to regulatory-compliance audits. If you know the format your auditing agency requires, then by all means ask whether those reports are included with your candidate SIM. Regulatory compliance audit reports could, by themselves, justify the purchase of a SIM system.
How can you look at highlighted incidents? Reports are important in many situations, but for day-to-day security analysis, you'll spend much more time interacting with a security dashboard. A clean, well-organized dashboard and the ability to drill into reported incidents by time, severity, and type will mean the difference between productivity and frustration. How easily can you highlight a particular time period and analyze traffic by the criteria that you specify? How easy does the correlation engine within the client make it to look for patterns within a specified time? Is it effortless or difficult to look at traffic or interactions between specific addresses or types of clients?
With just about any product, you'll want a dashboard that has an initial set of analysis screens that get you started in a meaningful way. You'll also want something with easily customized screens and automated analysis runs to meet your needs.