DK 'Log : /personal/opinion/siem

A review of a commercial SIM
Wed, 05 Dec 2007

Some time ago, earlier this year, I had the opportunity to attend to a conference where one of the leading SIM vendors (according to gartner's magic quadrant at least) talked about their product. Although my opinion will always be biased and I tend to compare all that I see on this area with OSSIM, I also believe that I've got a solid base to judge others.
Anyway, since I know myself and making a review comparing more than five years of work with a 5 hour demo and some document browsing isn't fair, I won't say the name of this product.

::start here

First of all I must say I went out of the event quite impressed, and somewhat jelaous. The marketing part was impressive, well worked out and really transmitted the need of a SIM/SEM/SIEM to almost everybody. Seems like governments and some questionable laws also help this industry alot, making such an aggregated security system a must for many organizations. Anyway, this jealousy changed a bit afterwards.

I don't want to extend this to the political arena though so just to the facts:

What I've learned

(And we're putting into practice these days)

Having an Appliance based solution (even if it's in parallel with software) is a must.
Having tons of easy to understand data brochures is very important too.
Compliance is an very important area to focus on.
Beautiful graphs are crucial.
And so is ease of use.

Well, basically we already knew all of that but got the confirmation. Appliances are available, documentation is growing, we've developed lots of commercial things for partners, pretty graphs are present in the last releases and through the installer we started to reach an "everybody can install it" status.

Pro's and Con's of this solution.

Pro's:

Extensive help
Many predefined reports/alerts
Performance, at least on powerpoint, looked great
Many devices supported

Con's:

Lack of customization options
Seemed somewhat "limited". I mean, I had the feeling to have seen everything it did and could do after a couple of hours.
No contextual graphs / menus. Graphs are nice, but the ability to get from high level information to lower level and back, or aggregate by your criteria is even nicer. I was really surprised to see this was missing.
No talk about anomaly detectors, limited inventory options, sparse policy and asset management.
No extra software included.

Conclusion

If you've got everything in place, already have bought an IDS, an IPS, some other management systems, vulnerability scanners, NMS and such, then this sort of product is great for you.
If you have tons of money to spend and you quickÃly have to achieve a specific goal hint:compliance) then this seems also like an obvious decision.
But if you're starting from scratch or adapting a few systems to a SIM/SEM environment I don't seem many reasons to favor this system to OSSIM :-). Now the only thing left is to read the How-do-I-get-into-the-gartner-quadrant-in-order-to-focus-my-marketing-on-that-fact-HOWTO.

Remember, I'm biased...

posted at: 11:33 | path: /personal/opinion | permanent link to this entry | 2 comments |
Tags: opinion, commercial, siem, review

* Posted by Abhimanyu at Sun Dec 9 21:27:57 2007

Hey,

When we were evaluating OSSIM as a solution we could offer to our clients, we did invite a whole host of people to demonstrate their product.

Our conclusions were quite similar to yours, esp. with respect to Symantec's appliance approach that seems to be doing well.

I guess i should have shared it with you then. Apologies, but I thought it was too early to talk abt all that 9 months ago!

Abhi

* Posted by Paul at Sun Jan 6 04:19:46 2008

Nice review, lack of graphs is bad. So is lack of anomaly detection. Spade or something similar is a must!