Any security platform worth its salt
produces log data, but in a large network running multiple systems and protocols it's impossible to
monitor this accurately by tracking individual data sets. A well-developed security information
management approach minimises the number of consoles that security professionals have to monitor,
aggregating this data into a single easier-to-manage platform. (Security information management is
generally considered to be restricted to this capturing and monitoring function, rather than the
broader practice of information security management strategies, which also incorporates other
technological, business and people management elements.)
"The value of SIM products was
profoundly simple in concept," Forrester analysts John Kindervag and Andrew Jaquith noted in a
recent technology overview. "They transformed noisy, low-level security event information generated
by firewalls and intrusion detection system (IDS) devices into alerts that could be readily
comprehended by security analysts."
As with any monitoring system, data
capture and processing can take place in a number of locations. While a SIM platform can simply
collect raw data from system agents and process it on a central server, in practice data is often
filtered by those agents as well before transmission. That approach has two potential benefits:
avoiding clogging network traffic and reducing the risk of information overload.
Despite the relative maturity of the
technology (examples date back to 2000), SIM platform deployment is far from a given. According to
Forrester analyst Jonathan Penn, SIM rollouts are more typical within organisations with a large
security spend than amongst more budget-minded corporations.
One driving factor in the adoption of
SIM systems in recent years has been increased adoption of the Payment Card Industry Data Security
Standard (PCI DSS), which mandates tracking all use of payment cards. Its introduction in 2004, and
a series of subsequent updates, provided a fresh impetus for the installation of SIM systems in
retail and financial environments.
"The PCI log management requirements
are very specific and include explicit guidance on how logs should be handled so that they cannot
be tampered with," note Kindervag and Jaquith. "SIM vendors have tuned their market message and
technical feature sets to meet this requirement precisely."
A key distinguishing feature amongst
SIM platforms is the degree of aggregation that takes place. Data normalisation is often used to
try and reduce the amount of information security pros have to process when identifying trends and
potential problems within a SIM platform, and to ensure that data is available for governance
tracking. For instance, CA's Enterprise Log Manager, released in April this year, includes a large
number of preconfigured reports designed to link security trends into existing legislative and
compliance requirements.
However, if a major problem is
discovered, then manual sifting through raw data is often
required to accurately track questionable transactions and events, since normalised information
generally won't contain sufficient data to identify specific instances of problems.
Integrating security information
management systems with more general network monitoring is often held up as a worthwhile goal,
since both make use of similar methodologies (collection and analysis of log-style data) and both
are concerned with risk management and maximising system availability. In practice, however, the
high volume of alerts which a security system alone can generate, even when normalisation and
aggregation techniques are used, often
makes that approach impractical.
Increasingly, SIM platforms are being
used not just for traditional IT security, but for integration with physical security systems such
as camera monitoring. IDC estimates the market for SIM platforms used purely for physical security
will top $US5.3 billion by 2013.