Security Information Management Resource Guide

www.simbuyer.com

Version 2.01.B

Security Information Management is a critical component of secure business operations. This Guide presents helpful information about SIM from leading users and experts. To learn more about SIM and to access additional Resources, please visit www.simbuyer.com
Notes: The market uses the SIM, SEM and SIEM acronyms interchangeably. In this document, we use SIM as a proxy for Security Information Management (SIM), Security Event Management (SEM) and Security Information and Event Management (SIEM). Citation: Each Resource is followed by a source link which provides additional information on that Resource.

CONTENTS
SIM: What is it? SIM Benefits: Wheres the Value? SIM Buying Tips SIM Adoption and User Data Quotes by SIM Experts Quotes by SIM Users

Page

1 3 4 5 6 7

SIM: What is it?

"One key piece of technology needed to address security risk is [SIM], a central logging and analysis solution that leverages the investment that has already been made in the organization's technology up to a higher, more useful level. Having a central analysis system reduces operational costs by freeing up other resources to focus on other critical issues. With this system, security analysts no longer waste time studying screens, trying to make sense of the data in disparate log files. It also acts as a focal point for real-time and forensic investigation, incident management, remediation, reporting, and compliance."
Brian Contos and Dave Kleiman Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures

logs and log entries to identify attackers) 3. Incident Management (Workflow - What happens once a threat is identified? Link from identification to containment and eradication, Notification, Trouble Ticket Creation, Automated Responses, Response and Remediation logging 4. Reporting Operational Efficiency/Effectiveness Compliance."
David Swift, SANS Institute A Practical Application of SIM/SEM/SIEM Automating Threat Identification

"[A SIEM system] takes input logs and alerts from a range of systems (firewalls, routers, anti-malware, servers, etc) and informs IT teams of unusual occurrences which warrant further investigation. As well as collecting and storing this raw log data, the system safeguards the data for subsequent audit needs and for compliance-aligned reporting. This same source data satisfies multiple needs and functions, in that the security team will use it to see if any breaches have occurred; the IT team will check to see if network devices are working correctly; the compliance team will check to see that security breaches have not occurred, and so on."
Jason Holloway, Help Net Security How To Prepare For a Security Information and Event Management Deployment

"SIM provides a simple mechanism that allows security teams to collect and analyze vast amounts of security alert data. More specifically, SIM solutions collect, analyze and correlate - in real-time - all security device information across an entire enterprise. Correlated results are then displayed on a centralized real-time console that is part of an intuitive graphical user interface." "SIM can be divided into four different phases: Normalization, Aggregation, Correlation, and Visualization. SIM utilizes normalization, aggregation, and correlation to sift through mountains of security activity data on a real-time basis - correlating events, flagging and rating the potential seriousness of all attacks, compromises, and vulnerabilities."
Mjr. Ing. Albert Vajnyi, 1Lt. Ing. Boris Zemek, Armed Forces of the Slovak Republic Computer Forensics in Practice

"With some subtle differences, there are four major functions of [SIM] solutions: 1. Log Consolidation (centralized logging to a server) 2. Threat Correlation (the artificial intelligence used to sort through multiple

"SIEM [Security Information and Event Management] technologies collect and analyze security event and log data in real time (for threat management) and provide analysis and reporting on historical data (for

Published by NorthPage Research www.northpage.com Southbury, CT USA NorthPage Research LLC All rights reserved.

security policy compliance monitoring). Collection and analysis are supported for a wide variety of sources, which include: network and security devices, server, data base and application logs, and output of security-relevant applications, such as enterprise directories, user provisioning and access management. Correlation capabilities are used to analyze data from multiple sources."
Gartner Security Information and Event Management Complement Identity and Access Management Audits

- Limited Data Mining - Limited Pure Storage.

Nicole Pauls, Information Systems Audit and Control Association Security Information Management: Not Just the Next Big Thing

"Simply put, SIM software helps automate the collection of event log data from firewalls, proxy servers, anti-virus software, intrusion detection systems and other security devices and then translates the data into formats useful for a variety of security reporting and analysis."
Karen D. Schwartz, eWeek Security SIMplified

"SIM products...have a few core pieces that make them tick: centralized monitoring, reporting and policies. These products take information from the majority of the infrastructure (tools such as firewalls, routers, IDS sensors and AV scanners), put it all in a central location and let security managers decide what happens when certain events occur. Policies can be as simple as, 'If you see a virus, send me an e-mail', to something more complex, such as, 'If you see what looks like a worm infection due to a sudden increase in logon failures and SMTP traffic from the same PC and it is on my remote network, notify the on-call IT staff.' Later on, to satisfy audit requirements, the consolidated database can be consulted."
Gartner Security Information and Event Management Complement Identity and Access Management Audits

"Security information-management (SIM) products (also referred to as Security Event Management wares) automate the manual process of collecting security-specific event-log data from file systems, security appliances and other network devices. The latter include firewalls, proxy servers, intrusiondetection systems, intrusion-prevention systems, routers and switches, and antispam, antivirus and antispyware software. SIM has data-aggregation and network event-correlation features similar to those found in network management software."
Network World SIM (Security information management)

"A SIM automates collection and analysis of information from all the security components in a network. Rather than having to look at logs and alerts from firewall, IDS, anti-virus, VPN, and other security systems, a security manager can obtain all of this information from a single SIM console."
Curtis Franklin, Jr., InfoWorld Security Information Management Buyer's Guide

"A SIM can be separated into four functional areas. First, a SIM collects and stores logs from network devices, security devices/applications and host operating systems/applications. Second, a SIM correlates logs from various sources and produces alerts regarding important security issues. Third, a SIM typically provides a ticketing system or automated remediation options used to address and resolve security alerts. Fourth, a SIM provides a reporting mechanism for compliance, auditing and security monitoring."
Jim Beechey Log Management SIMetry: A Step by Step Guide to Selecting the Correct Solution

Forensic-focused SIM: - Expert Data Mining - Pure Log Storage - 'Low and Slow' Detection - Postevent Analysis - Long-term Coverage - Limited Automation - Limited Correlation. Real-time SIM: - Streaming Data View - Normalized Data Storage - Rapid Detection - Response - Current Event Analysis - Easy Automation 2

"SEM tools analyze cryptic technology logs so large organizations can assess real-time events, detect ongoing attacks, and sound emergency alarms. As such, SEM acts like a security transaction processing system that plows through massive amounts of data at all times to find security event needles in massive log file haystacks."
Jon Oltsik, Senior Analyst, Enterprise Strategy Group The SIEM Architecture

SIM Benefits: Wheres the Value?

"There are two key benefits to [SIM] data aggregation: First, it reduces the cost and improves the effectiveness of security monitoring. Second, it simplifies and improves reporting of security information for audits in support of regulatory compliance. HIPAA, Sarbanes-Oxley, GLB, and FISMA -- and the consequences of noncompliance -are prime driving factors in the increased deployment of SIMs."
Curtis Franklin, Jr., InfoWorld Security Information Management Buyer's Guide

to decrease as the worst offenders are firewalled out, and the worst offenses dealt with), rather than nearly 400,000."
David Swift, SANS Institute A Practical Application of SIM/SEM/SIEM Automating Threat Identification

"I believe the most compelling reason for a [SIM] tool from an operational perspective is to reduce the number of security events on any given day to a manageable, actionable list, and to automate analysis such that real attacks and intruders can be discerned. As a whole, the number of IT professionals, and security focused individuals at any given company has decreased relative to the complexity and capabilities demanded by an increasingly inter networked web. While one solution may have dozens of highly skilled security engineers on staff pouring through individual event logs to identify threats, [SIM] attempts to automate that process and can achieve a legitimate reduction of 99.9+% of security event data while actually increasing effective detection over traditional human driven monitoring."
David Swift, SANS Institute A Practical Application of SIM/SEM/SIEM Automating Threat Identification

"For years, Reynolds' staff relied on manual monitoring of network activity to make sure nothing malicious was occurring. Unfortunately, Reynolds' security staff consisted of two full-time employees. Manually monitoring firewall logs and other data streams produced by the 50,000 hosts on the university's network was not realistic." and "The [SIEM] product immediately detected quite a few hosts that were controlled by botnets. It also detected individuals scanning the university's honeynet, a network with intentional vulnerabilities aimed at attracting malicious traffic so that it can be identified. [The SIEM product] was able to detect similar vulnerability scans hitting the production network, attacks that in the past had gone undetected."
Shamus McGillicuddy, SearchNetworking.com SIEM Platform Secures University's Open Network

"It's hard to quantify in hard figures, but if we had not been able to use this technology [SIM] we would have had to invest in a systems administrator to do this work; and from a security standpoint, we wouldn't have such visibility into our entire environment." and "Among the many benefits of CEC's estimated $400,000 [SIM] investment are SOX compliance and comprehensive reporting, combined external and internal threat management, improved security-threat response time, and increased ROI on IT resources."
Michael Gabriel, Career Education Corporation Career Education Corp. Gets Smart on IT Security

"The power of SIM technology allows a relatively small security staff to dramatically reduce the time between attack and response."
Mjr. Ing. Albert Vajnyi, 1Lt. Ing. Boris Zemek, Armed Forces of the Slovak Republic Computer Forensics in Practice

"The most important benefit of a Security Information Management System deployment within an organization is the forensic information they can provide, by allowing specific queries regarding the source and destination as well as the time and type of an incident."
Sarandis Mitropoulos, Dimitrios Patsos and Christos Douligeris, Elsevier On Incident Handling and Response: A State-of-the-art Approach

"In summary, SIM provides centralized network monitoring, automatically pulls logs from multiple devices, eliminates the need for manually intensive analysis, eliminates the need to respond to threats manually, and provides reporting capabilities required for daily review by State & University audits and security guidelines."
Lynn Ray, Towson University Centralizing and Analyzing Security Events: Deploying Security Information Management Systems

"In this case, using a SIEM allows the company's security team (2 people in an IT staff of 5), to respond to 170 critical and major alerts per day (likely 3

"In a[n internal] study designed to measure ROI of integrating SIMs into network services at [our company], one of the biggest surprises was how beneficial "early" cross training was. [Our company] sent a senior information security analyst (SISA) and a senior network engineer (SNE) to an offsite vendor cross-training program. For a period of six months

following the formal training, two network personnel worked with the SIM team rotating shifts for six hours per week. The SISA also spent time with the network team, working on fine-tuning the HP OpenView tool and managed to send its SNMP traps to the SIM database. A study showed that productivity of both department increased by more than 22% in the last quarter of fiscal year 2007. However, the intangible and immeasurable index of team building and increased integration effort are invaluable."
Sasan Hamidi, Chief Security Officer, Interval International Challenges Behind Operational Integration of Security and Network Management

SIEM benefits from an advanced implementation in the energy sector: 1) Unique integration of novel defenses with existing best practices. 2) Breakthrough global situational awareness while preserving confidentiality of individual defensive postures. 3) Extensible, expandable, and flexible to protect current and future control systems.
Alfonso Valdes, Senior Computer Scientist, SRI International Roadmap to Secure Control Systems in the Energy Sector

"[SIM] Greatly reduces false positives, defines effective mitigation responses, provides quick and easy access to audit compliance reports, ability to visualize attack path, ID source of threats, and make precise recommendations for removal of threats."
Lynn Ray, Towson University Centralizing and Analyzing Security Events: Deploying Security Information Management Systems

2) Outline additional, survivable storage infrastructure that may be needed to keep security information management data not only available to security analysts but also archived for compliance. 3) Ask vendors how their products use caching, failover and redundancy to respond to a database crash. 4) Choose the database wisely. Most vendors offer so-called open-standards databases, such as Oracle Database, but some may keep their programming hooks private. 5) Make sure the product can collect all relevant data, not only from intrusion detection systems, firewalls and other security devices, but also from operating systems and both custom and commercial applications. 6) Ask vendors how easy it is to customize correlation rules for a unique environment. 7) Scrutinize scalability. 8) Ask vendors to explain the assumptions behind their performance metrics. 9) Look for a healthy complement of canned report formats for key compliance regulations. 10) Watch for version dissonance between your security devices and the security information management product.
David Essex, Washington Technology Calm Amidst the Storm

SIM Buying Tips

"...we believe there is room for both traditional log management tools and the real-time analysis capabilities provided by SIEM tools, but we suspect that organizations would prefer to go to a single vendor for both. Clearly organizations have to solve the first problem (log management) in order to address the second (analysis and monitoring), but the wise purchaser will know that after the first problem is addressed the second will become immediately apparent. Plan accordingly."
Greg Shipley, CIO Magazine Are SIEM and Log Management the Same Thing?

Key questions to ask when selecting a SIM solution: - How does the SIM get information? - Where will the [SIM] information be processed? - How will [SIM] information be correlated? - How are reports generated? - How can you look at highlighted incidents? - How easily can you highlight a particular time period and analyse traffic by the criteria that you specify? - How easy does the correlation engine within the client make it to look for patterns within a specified time? - How can you share information with other applications? - How easy is the SIM to install and configure? - Does the SIM initiate scans of devices on the network, or does it simply sniff the traffic stream for events, assets, and suspicious traffic patterns?
Curtis Franklin, Jr., Information Age Security Information Management

Security Information Management RFP Checklist 1) Begin with the end in mind. Ask what you want to achieve with a security information management system. 4

Key questions when buying a SIM solution: - How does the SIM get information? - Where will the information be processed? - How will the information be correlated?How are reports generated?

- How can you look at highlighted incidents? - How can you share information with other applications? - How easy is the SIM to install and configure?
Curtis Franklin, Jr., InfoWorld Security Information Management Buyer's Guide

SIM Adoption & User Data

"The past three years have been a boon for the SIEM market, with 85% growth in 2005, followed by 52% and 30% growth in 2006 and 2007, respectively, according to research by Stamford, Conn.-based Gartner. Analysts at Gartner expect that growth to hold steady this year (2008) and drop off slightly in the following years as the market becomes saturated."
Zach Church, SearchCIO Compliance-Burdened CIOs Turning to Security Management Tools

Key considerations when shopping for SIM vendors: 1) Learn about the organization, not just the product and its price tag (though SIM products do have a large price variance). 2) Read the customer testimonials to understand what kind of problems customers were able to solve. 3) Make sure the critical assets, such as servers and firewalls, can be covered, but leave room for some flexibility. 4) See a product demonstration, preferably a live system where the flow of data can be seen. 5) Ask questions of the sales team that they may not be able to answer. The purchaser has to live with this product, and he/she needs to be confident that the vendor as a whole is doing what is in his/her best interest and the product is going to address the organization's needs. 6) Get a feel for how the product is deployed and what the responsibilities are going to be during deployment. It is pretty safe to assume that the SIM vendors have deployed more SIM solutions than the buyer, so they should be able to answer any questions about how they will deploy in the organization's environment.
Nicole Pauls, Information Systems Audit and Control Association Security Information Management: Not Just the Next Big Thing

"In a typical organization, millions of logs are generated by every system, application and device on the network every day. According to the SANS Institute, logs represent up to 25% of the total data created in a typical enterprise."
Chris Petersen, Network World Log and Event Management Appliances Improve Compliance, Security, Operations

5 questions to ask when evaluating SIM products: - How does the product scale? - Does the product include log-management features? - Can it accept data from other security-management products, databases, or third-party systems? - Can the product generate alerts in real-time based on complex events? - Does the product offer 'active response' capabilities?
Denise Dubie, Network World What to Ask When Buying Security Information Management

"[The Forrester report predicts that] companies with fewer than 1,000 employees using SIM will reach 30 percent by 2011." and "A September [2007] study by Aberdeen Group, for example, found that while 33 percent of companies with 50 to 1,000 employees currently use SIM tools, that number is expected to rise to 41 percent within the next 12 months. According to the Aberdeen study, the primary driver for the move by SMBs to SIM technology is protection of the organization and brand, followed by a need to comply with government regulations and internal policies."
Karen D. Schwartz, eWeek Security SIMplified

"Organizations are elevating governance associated with information security by creating a security intelligence function, centralizing security information management, and investing in new technologies and processes to analyze disparate sets of securityoriented data. The number of companies now employing a chief security officer (CSO) or chief information security officer (CISO) increased from 15 percent last year to 20 percent this year, and a higher percent of senior security executives now report directly to the CEO or to the board."
Emily Stapf, Christopher Morris, David Burg, PriceWaterhouse-Coopers Information Technology Security Trends

From a survey of 109 security professionals, 39% of the respondents indicated that they use a Security Event Monitoring (SEM)/Security Incident Monitoring (SIM) platform when sharing intellectual property with business partners to monitor its access, usage, and other security policies.
Jon Oltsik, Senior Analyst, Enterprise Strategy Group Extending Intellectual Property Protection Beyond the Firewall

Quotes by SIM Experts

"I'm continually asked 'Who do I bop on the head?' by clients when deploying security tools. [SIM] can answer that question better than any other tool I've seen."
David Swift, SANS Institute A Practical Application of SIM/SEM/SIEM Automating Threat Identification

From a study of 1,000 information security professionals: "How do you believe your organization would detect malicious planning and/or suspicious behavior that could occur prior to an internal attack?" Review network logs (80%), firewall logs (75%) and application logs (68%).
Jon Oltsik, Senior Analyst, Enterprise Strategy Group The Case for Data Leakage Prevention Solutions

"[SIM] tools are fast becoming must-haves for security teams wanting more visibility into IT activity within their environment."
Paul Stamp, Forrester Research Best Practices for a Successful SIM Deployment

"More than one-third of enterprises plan to have adopted SIM technology by mid-2008. Interestingly, most of them are driven by compliance mandates more than a desire to create a world-class security operations center or to improve investigative capabilities."
Paul Stamp, Forrester Research Big Changes Are Ahead For The SIM Marketplace

"You cannot simply throw the [SIM] box in and assume that it will tell you want you need to know about your security or network posture. You have to be willing to actually look deep into what you really care about and either write or activate rules that will make the SIM product work."
Joel Snyder, Opus One Best Practices for a Successful SIM Deployment

A data-driven study which documents the state of data breaches in the enterprise. Included are several SIM-related data points including results showing more than 73% of companies that experienced a data breach have not invested in event management security tools. Other SIM-related survey elements include: Based on your experience, what are you doing today to prevent and detect a breach event? 27 percent said "Investing in security event management tools"
Ponemon Institute The Business Impact of Data Breach

"...If you look at SIM from a security professional's perspective, the idea of integrating and correlating security information from a variety of data sources is compelling. Just think: How great would it be to look at one screen, or one dashboard, and be able to pinpoint problems, maybe even before they occur?"
Mike Rothman, SearchSecurity Security Information Management Finally Arrives, Thanks to Enhanced Features

"Security risks have proliferated and have become so technical in nature that they are now not manageable without suitable security technology."
E. Eugene Schultz, High Tower The Evolution of Threats and Their Impact upon Technology

"The sheer number of regulations and the consequences of not complying with them means information security has become a board-level issue."
Ernst & Young IT Security is now a Boardroom Issue

"It is impossible to predict all threats, meaning that threat management has a large detection and response component."
Gunnar Peterson, Arctec Group Security Architecture Blueprint

"Using log files as an exclusive data source for anticipating, detecting and reacting to data breaches is a bit like reading random pages of War and Peace6

it is hard to understand the story when the data is indiscriminate in nature and lacks context."
Jon Oltsik, Senior Analyst, Enterprise Strategy Group The Case for Data Leakage Prevention Solutions

Glen Sharlun, Marine Corps Network Operations and Security Command SIM City and the Network

Quotes by SIM Users

"SIM--like other technologies--requires an initial upfront investment in time and resources but that the payoff is worth it. SIMs force you to understand what your business processes are and what your networks look like, but that in itself is a good thing."
Jim Granger, Technical Director, Navy Cyber Defense Operations Command A New Awareness for SIMs

"Being in the financial industry, using [SIM] has made it easier for us to prove we are monitoring our environment in line with industry standards for security."
Robert Martin, Vice President and Security Officer, Fiserv Tools Address Security Concerns

"It's hard to quantify in hard figures, but if we had not been able to use this technology [SIM] we would have had to invest in a systems administrator to do this work; and from a security standpoint, we wouldn't have such visibility into our entire environment."
Michael Gabriel, Career Education Corporation Career Education Corp. Gets Smart on IT Security

"The power of SIM technology allows a relatively small security staff to dramatically reduce the time between attack and response."
Mjr. Ing. Albert Vajnyi, 1Lt. Ing. Boris Zemek, Armed Forces of the Slovak Republic Computer Forensics in Practice

"Depending on the time of day, we have 5,000 to 10 thousand events per second. 'We needed something that scaled to our size and would be proactive in watching the links in real time so we can fix it quickly." and "We are taking the data from all those different sources and dumping it into the [SIM solution] so we can correlate the data." and ''Sometimes when stuff is happening, you can't visualize it when just seeing the raw data. But with a [SIM] visualization tool, you can play events back and see what devices it is hitting and track it back. We are getting to the point where when something is happening, we can see which port in the entire network it is coming from, and there are quite a few thousand switches out there.''
Dan Lukas, Lead Security Architect, Aurora Health Using SIM Software to Deal with Security Overload

"Our goal was to get people to the point where they're not mechanics trying to keep the thing running but move them to where they're focusing on dealing with the security issues that are actually coming up,"
Glenn Haar, IT Resource Manager, Idaho State Tax Commission A New Awareness for SIMs

SIM Reference Materials

The Beginners Guide to Security Information Management is a sampling of the library of highquality information available in the Security Information Management Resource Guide at www.simbuyer.com. Visit the Guide: To learn how leading organizations are implementing SIM, To save time learning about the latest trends and insights from industry experts, To help you make better decisions about SIM for your organization, To weigh SIMs costs, benefits and risks, To gain access to valuable SIM best practices, To access the newest Resources added to the SIM Resource Guide To download the IT Managers Guide to SIM and the SIM Best Practices Guide

"[Our SIEM implementation] allows us to be a lot more responsive in taking decisive action in remediating some of the problems we're seeing. Ideally, we'd love to catch 100% of the problems and vulnerabilities that are out there, but that's not going to happen, based on just sheer magnitude. But it's putting us in a position to be alerted when suspicious activities or footprints are noted on the network."
Morris Reynolds, Director of Information Security and Access Management, Wayne State University SIEM Platform Secures University's Open Network

"We had a data overload problem. We had too many people doing computer work. People don't crawl through logs very well."