How can you share information with other applications? A SIMs is, without question, a powerful part of a security infrastructure, but it can't do it alone. You'll need other hardware and software to deal with the incidents discovered by the SIM, and life will be easier if the SIM itself can handle some of the interaction with those other pieces of infrastructure. As you're looking at SIMs, think about how you want the humans in the security hierarchy to work with the automated systems. Do you want the systems to take care of as much as possible, then notify staff as to what has been done? Or do you want the humans to keep their hands on the controls while the systems provide intelligent help?
Some SIMs will work in either of these ways -- or in both, as you begin with humans in control and gradually give more authority to the system as you gain confidence in its capabilities. Ask the vendors about which model they follow so that you can zero in on those that match your deployment expectations.
How easy is the SIM to install and configure? This is the big wild card. As with virtually any category of hardware or software, there are products that are relatively easy to install, and there are some that will occupy your every waking moment for far too long. In most cases, deploying a SIM will break down into two lengthy tasks: arranging for the SIM to gather information from the network, and arranging for you to glean information from the SIM.
Getting information to the SIM varies in complexity depending on whether the SIM is collecting log files, gathering data from its own network of probes, or both. Initial efforts may be more or less dependent on how actively the SIM gathers its basic information. Does the SIM initiate scans of devices on the network, or does it simply sniff the traffic stream for events, assets, and suspicious traffic patterns?
In similar ways, the effort involved in configuring security monitoring and analysis can vary greatly depending on the degree of automation built into the SIM's installation routine. Some SIMs will put themselves into a configuration that's minimally useful by default. Others require you to step through an extensive setup routine. The payoff to this greater time investment is the system will, from the get-go, gather information tailored to your needs.
SIM vendors and solutions
This list is not intended to be exhaustive, and owing to merger and acquisition activity in the industry, it may go out of date without notice.
Solutions: ArcSight ESM; ArcSight Interactive Discovery; ArcSight Pattern Discovery
Solution: CiscoWorks Security Information Management Solution (SIMS)
Solution: CA Security Command Center
Solution: Dragon Security Command Console
Solution: SEM 3200