purchasing SIM tools need to concentrate on several important characteristics when
examining and evaluating vendor offers.
As environments in
which SIM systems will be implemented may
vary, all IT supervisors searching for security information management products
should ask themselves the following:
So how exactly does
the tool scale?
IT supervisors should calculate
the quantity of devices from which they
need to gather data question the supplier if their solutions may handle the big volumes of log information.
A lot of SIM solutions
show what number of events per second they are
able to catch, evaluate and store. Some will require setting up multiple
collection servers. Other may need supplemental storage volumes available or feature
plans with partners to reward them for archiving the raw log statistics. You
have to be 100% sure the tool can go with your network.
Does the SIM
product contain log-management capabilities?
Compliance policies may
be equally specific and obscure on how and for how long companies should keep their
log information. It seems sensible that SIM systems
are accumulating logs from controlled
devices, also need to ensure that log data is managed and archived effectively and correctly.
Certain policies, such
as the Payment Card Information Data Security Standard, require log managing
and archiving. Some others, such as the Sarbanes-Oxley Act, tend to be more opaque, only demanding companies to establish
the reliability and stability of business procedures, meaning they should
demonstrate they are tracking applications and the infrastructure for inappropriate
Is it compatible
with other security-management products
and solutions, databases or third-party equipment?
SIM systems are going
to be essential elements of bigger enterprise threat-management
strategies. IT supervisors have to know the information accumulated by unified
threat management, anti-malware and vulnerability-management
solutions can be integrated into the SIM automated
event-correlation and analysis engines.
Again, buyers must oblige
suppliers to indicate exactly what type
of data and what amounts of data, their security instruments can collect and identify.
IT supervisors must inquire what third-party solutions the provider supports
and whether or not the software developer kit is available for customers to put
together their unique architectures if necessary.
Will the SIM system
create alerts in real-time influenced by several compound events?
IT managers need to question
the vendor whether the SIM systems is able to
take diverse situations and actions occurring across an environment and decide
if all of any of them relate with a typical threat scenario.
IT managers must understand
if the SIM tool they intend to buy may be able to recognize blended threats
where the elements of worms, malicious code, viruses, and Trojans blend with
server and browser vulnerabilities to launch
and distribute an attack. SIM must incorporate the power to produce real-time
alerts created based on complicated, nested situations.
Does the SIM solution
provide active-response functionality?
A more advanced SIM functionality
is an active response. It means the system
takes specific actions on the basis of
the information gathers. In the event a
person working remotely is frequently trying
to gain access to a server without success utilizing the incorrect password,
the security information management product may cut out all traffic to this
must adhere to all company procedures. Since the self-regulating moves were taken by SIM
to stop a data breach can turn off many servers and result In wrong network functioning,
it should not become a cut-and-dried functionality. When thinking about internal
and external attacks, the technology should fully understand where to cut off
traffic and for what period of time. If
you think you want it, active-response is really
more challenging than it seems.#SIMtools