http://www.gcn.com/print/25_8/40435-1.html
By David Essex
Special to GCN
04/17/06 issue
Looking to deploy a security information management solution? Before
sending out an RFP or RFI, experts say you should consider the
following:
* Begin with the end in mind. Ask yourself what you want to achieve
with a SIM system, regardless of how you get there. Pay special
attention to the workflow between your security and operations teams,
and the reporting requirements of federal regulators such as the
Homeland Security Department's US-CERT. Business process, not
network architecture, is what really drives a SIM system.
* Outline the additional, survivable storage infrastructure that may
be needed to keep SIM data not only available to security analysts
but archived for compliance. You might need to design a storage
hierarchy and buy new RAID devices, storage area networks and
appliances to ensure SIM data is available for a multitude of
security and compliance purposes, but at a cost that doesn't break
the budget.
* Ask vendors how their products employ caching, failover and
redundancy in order to respond to a database crash. Don't overbuy
if your needs are modest enough to be served by an affordable
appliance that doesn't have failover features.
* Choose your database wisely. Most vendors offer so-called
open-standards databases such as Oracle, but may keep their
programming hooks private. Some claim their proprietary databases
have performance and analytical advantages over more generic
relational databases.
* Make sure the SIM product can collect all your relevant data, not
just from intrusion detection systems, firewalls and other security
devices, but also from operating systems and both custom and
commercial applications. If there's no prebuilt connector for a data
source, take a look at the vendor's integration wizards and support
services.
* Ask the vendor how easy it is to customize the tool's correlation
rules to suit your unique environment.
* Scrutinize scalability. Besides handling your current load of
security events (probably a bytes- or events-per-second number
that you already know), SIM solutions should scale up and out to
meet your anticipated growth.
* Ask vendors to explain the assumptions behind their performance
metrics, which can vary. Rule of thumb: The more devices to monitor,
the heavier the data load. But be aware that once chosen, the vendor
will work closely with your agency to get a handle on your environment.
* Look for a healthy complement of canned report formats for key
compliance regulations, especially FISMA, GLBA and HIPAA.
* Watch out for version dissonance between your security devices and
the SIM product. If you?ve recently upgraded an IDS, for example,
make sure the vendor supports it or has plans for doing so.
© 1996-2006 Post-Newsweek Media, Inc. All Rights Reserved.
_________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org
