Symantec SIM brings friends
Symantec's SIM comes with an active network to help it analyze your eventsFollow @infoworld
The vulnerability scan is, of necessity, more active and intrusive. The system scans the network and compares the results against known vulnerability databases such as the National Vulnerability Database and the Open Source Vulnerability. The scan is the most benign sort; the SSIM doesn't try to confirm the vulnerability by conducting an exploit.
With assets and vulnerabilities in the database, I looked at the rule set that shipped with the SSIM and found not much there: around 40 rules populating the set. The slim rule set might seem inadequate, but Symantec explained it's a simple baseline; most of the production functionality comes from active data collected and is correlated during operations. I found that to be true, as the SSIM was able to construct information for reports and issue alerts based on information it received and built upon during the test. It's certainly possible to add specific rules yourself, but the need to do that should be limited to unusual cases in your particular network
When networks go bad
For most security analysts, the SSIM dashboard will be the primary window into the appliance's operation. The dashboard grants a real-time view of system operations, and it's customizable across a variety of different values, including the usual criteria you want to see (top talkers, top destinations, alerts, and warnings) and others that are specific to the SSIM, such as alerts from the Global Intelligence Network. The dashboard is tightly tied to the GUI application but can be detached and run on a separate monitor while the GUI continues in administration mode.
The SSIM offers a dedicated report manager, which includes a built-in library of 273 queries that can be optimized for specific business needs. Among the queries are those designed for compliance reporting based on all the major federal regulations. Admins can modify the reports to meet the templates required by various compliance auditing organizations, though it's important to remember that SSIM isn't going to roll up all the reports you'll need for most audits. You can count on it for summaries, but the details will still come from individual components.
The positive aspects of event correlation and the Global Intelligence Network start to become apparent when the SSIM issues individual incident alerts and warnings. The system will gather the information from the various components on the network and apply filters and rules to determine whether any given event is a simple anomaly or part of a larger issue, indicating malicious behavior. When an alert is issued, it comes with diagnostic information and possible mitigation steps based on data from the GIN. Information from the GIN also plays a significant role in determining the incident priority, based on type; target vulnerability, target sensitivity, and data sensitivity (the last two coming from data stored in the asset tracking table) also go into the calculation. Based on all this information, the SSIM will write a trouble ticket and provide some fairly basic ticket-tracking capabilities.