How to get the most out of a SIM

More on SIM SIM appliance helps with compliance, incident response Security information management finally arrives, thanks to enhanced features

However, a SIM can bring tremendous value by providing total visibility into your security posture, and by leveraging security products you already have. Regulatory compliance has been a top driver for SIM purchases, but there are a number of less obvious advantages that should be considered when selecting a product. The key to realizing the full value of a SIM is to understand all of its advantages and leveraging the product in a way that brings maximum benefit.

In the panoply of functions a SIM can provide, perhaps the foremost is absorbing the bulk of log data from IDS sensors, IPS devices and firewalls. In this sense, a SIM can act as an IDS console, helping navigate through what is normally an overwhelming amount of IDS data. That's easy enough, but that function alone often doesn't provide enough purchase value for organizations that already have an IDS console.

For a greater benefit, look beyond analysis of IDS events and focus on the SIM product's alerting and analysis capabilities. These features will be quickly appreciated by the security team, but other IT staff can find them useful as well. For example, most IDSes have a subset of signatures that help track virus-infected or Trojan-controlled systems. You can use SIM alerts to immediately send infected system data to the organization's help desk, enabling a more proactive approach to tracking and resolving these issues.

A SIM also collects firewall data, which can also be advantageous. How? Your SIM knows who the top talkers and listeners are on the network, and can probably help identify hot spots and hot protocols where some network engineering or bandwidth controls might be useful. When deploying a SIM, bring the network engineering team on board by sharing reports and dashboards that focus on bandwidth usage. A SIM might be the only system in your organization that can give this level of visibility into the network, irrespective of security concerns.

Thinking outside of the traditional security box is a good way to leverage a SIM's correlation engine and normalization capabilities. While SIMs might be focused on the security implications of the data they collect, every log message tells a story -- one that is generally buried in a pile of unrelated minutiae. For example, most devices can emit log messages that presage future failures, such as bad power supplies, fans or failing hard drives. Find those messages using your SIM and you can turn a future emergency failure into a planned maintenance window.

Another potential bonus lies in the piles of typically unexamined logs from Windows and Unix servers. Not every SIM specializes in Windows, but all the good ones are happy to accept Windows event logs, even if they require a conversion to the Syslog log-forwarding standard using a tool like Snare. While most system managers have already developed their own local methods for watching logs, a SIM provides a place to collect these logs, rules, and alerts in a single management console. When leveraging a SIM this way, you can reduce deployment time by eliminating the steps of installing and configuring local log watch tools. And, by cross-correlating events from multiple systems, you may gain greater security visibility than by considering each log one system at a time.

A SIM has to stand or fail on its own merits and for the task you bought it to handle. But taking advantage of the opportunities to leverage a SIM for greater network and system visibility and control will ensure your financial services organization makes the most of its investment.

About the author:
Joel Snyder is a senior partner with Opus One, a consulting firm in Tucson, Arizona. He spends most of his time helping people build larger, faster, safer and more reliable networks. He is a frequent contributor to Information Security magazine and has advised and trained thousands of people privately and at conferences around the world on networking, security, messaging and VPNs.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Architecture Insider Security benefits of virtual desktop infrastructures How to secure data backup Too many encryption methods make secure communications difficult How to streamline role-based access control Five considerations for choosing network access control products Fighting fraud: Understanding technology and threats How to shift to centralized authentication and ease compliance Winning the war: Personal information protection Why financials must implement Web application security best practices Identity management for financial firms in turbulent times Network security devices for financial institutions Five considerations for choosing network access control products Organization aims to develop encryption standard for card data How to use data loss prevention tools to stop data exfiltration How to perform a network device audit Event data analysis Security on the street with SearchFinancialSecurity.com: Mobile banking Don't let fads dictate your network security strategy How to easily integrate managed email security services Integrating firewalls into your financial enterprise systems How to integrate network behavior anomaly detection into enterprise systems RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.