Some time ago, earlier this year, I had the opportunity to attend to a conference where one of the leading SIM vendors (according to gartner’s magic quadrant at least) talked about their product. Although my opinion will always be biased and I tend to compare all that I see on this area with OSSIM, I also believe that I’ve got a solid base to judge others.
Anyway, since I know myself and making a review comparing more than five years of work with a 5 hour demo and some document browsing isn’t fair, I won’t say the name of this product.
First of all I must say I went out of the event quite impressed, and somewhat jelaous. The marketing part was impressive, well worked out and really transmitted the need of a SIM/SEM/SIEM to almost everybody. Seems like governments and some questionable laws also help this industry alot, making such an aggregated security system a must for many organizations. Anyway, this jealousy changed a bit afterwards.
I don’t want to extend this to the political arena though so just to the facts:
What I’ve learned
(And we’re putting into practice these days)
- Having an Appliance based solution (even if it’s in parallel with software) is a must.
- Having tons of easy to understand data brochures is very important too.
- Compliance is an very important area to focus on.
- Beautiful graphs are crucial.
- And so is ease of use.
Well, basically we already knew all of that but got the confirmation. Appliances are available, documentation is growing, we’ve developed lots of commercial things for partners, pretty graphs are present in the last releases and through the installer we started to reach an “everybody can install it” status.
Pro’s and Con’s of this solution.
- Extensive help
- Many predefined reports/alerts
- Performance, at least on powerpoint, looked great
- Many devices supported
- Lack of customization options
- Seemed somewhat “limited”. I mean, I had the feeling to have seen everything it did and could do after a couple of hours.
- No contextual graphs / menus. Graphs are nice, but the ability to get from high level information to lower level and back, or aggregate by your criteria is even nicer. I was really surprised to see this was missing.
- No talk about anomaly detectors, limited inventory options, sparse policy and asset management.
- No extra software included.
If you’ve got everything in place, already have bought an IDS, an IPS, some other management systems, vulnerability scanners, NMS and such, then this sort of product is great for you.
If you have tons of money to spend and you quick?ly have to achieve a specific goal hint:compliance) then this seems also like an obvious decision.
But if you’re starting from scratch or adapting a few systems to a SIM/SEM environment I don’t seem many reasons to favor this system to OSSIM :-). Now the only thing left is to read the How-do-I-get-into-the-gartner-quadrant-in-order-to-focus-my-marketing-on-that-fact-HOWTO.
Remember, I’m biased…