Symantec SIM brings friends
Symantec's SIM comes with an active network to help it analyze your eventsFollow @infoworld
What is it, one might reasonably ask, that separates a SIM (security information manager) from a basic log-file aggregator? Both will, of course, aggregate log files, but a SIM must go further, gathering incident alerts and status conditions from a variety of network security and infrastructure sources. A good SIM will then add some intelligence to the mix, helping the security engineer figure out which information is worth his or her immediate attention and which can be ignored until time to pass a compliance audit.
This last step separates the very good SIM from the merely competent, and it's where the security intelligence found in the Symantec SIM (SSIM) 9650 appliance shines. Like many SIMs, the Symantec system improves with each new data point (that is, component providing data) it has to chew on. Unlike many SIMs, Symantec's has its own Global Intelligence Network of analysts, experts, and OPSIMs (other people's SIMs) to throw into the intelligence mix.
If your network can provide a deep pool of data for the Symantec SIM to swim in, it can provide a wealth of detailed information to your security engineer. Be aware, though, that this isn't a product for security novices. If you think of it as an able assistant to your in-house security expert, you're on the right track. Given the system's intelligence, it might be tempting for admins to treat the tool as an expert replacement. Doing so in a small network with relatively few data sources, you're likely to be disappointed. If, on the other hand, you put one of these in a rich network beside a capable security staff, you'll find it a truly valuable addition to your security infrastructure.
Looking at the network
As SIMs go, Symantec's installs quickly. When you first connect to the SSIM appliance, you download the GUI app and get started. You'll find two logical applications built in to the device: a Web interface for simple administration tasks and a dedicated GUI application for most of the heavy lifting in configuration and analysis.
In my testing, the setup process went smoothly. I experienced just a couple instances of whining because of some quirks in my test environment. The SSIM system isn't particularly happy if you try to sequester it away from DNS (though it will operate after complaining for a few moments), and it uses self-signed certificates that are going to make some desktop clients antsy. As I said, for most production deployment, neither of these will be an issue, but there they are.
There are three broad areas of activity required to get you started: building an asset table, scanning for vulnerabilities, and establishing initial rules. You can perform that asset-table build either manually or automatically. Manual means either entering information through the keyboard (not recommended) or importing tables from just about any popular asset management system. If you don't have an existing asset table handy, the SSIM will build a table by sniffing the traffic on the network -- no active probing goes on. If you already have an asset management system in place, you'll want to import the information so that it will be consistent across systems. If you haven't taken the asset management step, discovery works well, though you'll want to go back into the descriptions to add details (regarding certain system details and asset criticality) that just can't be determined from network traffic alone.