Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Review: Security Information Management Products

Security teams ask a lot of today's SIM platforms. We want them to take data from a dizzying array of sources--ArcSight ESM alone supports more than 200 log formats--then determine what's important out of the collected information, store terabytes of data online for analysis and trending, all while meeting both real-time analysis and historical reporting needs. Complicating matters, not all organizations ask for the same things; some are focused on compliance and reporting, while others are more concerned about monitoring and incident handling. Any one of these presents a difficult challenge, yet today's security information management platform vendors seem interested in tackling most, if not all, scenarios.


Those familiar with the SIM arena will note that our review has a number of new players, while a few old faces are conspicuously absent. We invited 13 vendors to send their latest offerings to our Chicago Neohapsis Real-World Labs®. We required that products support at least 12 log formats natively, centralize log data and provide an analysis component for reducing the amount of information a human operator must process. ArcSight, High Tower Software, LogLogic, Network Intelligence, OpenService, Q1 Labs, SenSage and Symantec accepted. Long-time players eSecurity (now owned by Novell), Intellitactics, netForensics and Guarded.Net (now owned by IBM) declined, as did Cisco Systems. CA indicated interest but never sent product, and we didn't learn of eIQnetworks and TriGeo Network Security until after our testing deadline.

Of the original pack of well-known SIM vendors, only ArcSight and Network Intelligence participated, which we take as a sign that the functionality gap between leaders and followers might be growing. We wonder if some older SIM vendors have fallen even further behind.

Our evaluation requirements focused on data transportation, storage, reporting, and both real-time and forensic-analysis tools. Our test environment consisted of varying types of devices, ranging from Windows 2000, 2003 and Linux systems to firewalls, VPN concentrators, IDSs, and infrastructure devices, such as routers and switches. Our plan was to bring each system into our lab, have vendor reps install and configure it, then incorporate the product into our day-to-day operational activities. We were hoping the process would be straightforward, but what ensued was a months-long engagement during which we learned about differing UIs, terminology, architectures, scripting languages, correlation strategies and investigative toolsets.

  • 1