From: InfoSec News (isnc4i.org)
Date: Tue Apr 25 2006 - 02:27:39 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.gcn.com/print/25_8/40435-1.html

By David Essex
Special to GCN
04/17/06 issue

Looking to deploy a security information management solution? Before
sending out an RFP or RFI, experts say you should consider the
following:

* Begin with the end in mind. Ask yourself what you want to achieve
  with a SIM system, regardless of how you get there. Pay special
  attention to the workflow between your security and operations teams,
  and the reporting requirements of federal regulators such as the
  Homeland Security Department's US-CERT. Business process, not
  network architecture, is what really drives a SIM system.

* Outline the additional, survivable storage infrastructure that may
  be needed to keep SIM data not only available to security analysts
  but archived for compliance. You might need to design a storage
  hierarchy and buy new RAID devices, storage area networks and
  appliances to ensure SIM data is available for a multitude of
  security and compliance purposes, but at a cost that doesn't break
  the budget.

* Ask vendors how their products employ caching, failover and
  redundancy in order to respond to a database crash. Don't overbuy
  if your needs are modest enough to be served by an affordable
  appliance that doesn't have failover features.

* Choose your database wisely. Most vendors offer so-called
  open-standards databases such as Oracle, but may keep their
  programming hooks private. Some claim their proprietary databases
  have performance and analytical advantages over more generic
  relational databases.

* Make sure the SIM product can collect all your relevant data, not
  just from intrusion detection systems, firewalls and other security
  devices, but also from operating systems and both custom and
  commercial applications. If there's no prebuilt connector for a data
  source, take a look at the vendor's integration wizards and support
  services.

* Ask the vendor how easy it is to customize the tool's correlation
  rules to suit your unique environment.

* Scrutinize scalability. Besides handling your current load of
  security events (probably a bytes- or events-per-second number
  that you already know), SIM solutions should scale up and out to
  meet your anticipated growth.

* Ask vendors to explain the assumptions behind their performance
  metrics, which can vary. Rule of thumb: The more devices to monitor,
  the heavier the data load. But be aware that once chosen, the vendor
  will work closely with your agency to get a handle on your environment.

* Look for a healthy complement of canned report formats for key
  compliance regulations, especially FISMA, GLBA and HIPAA.

* Watch out for version dissonance between your security devices and
  the SIM product. If you’ve recently upgraded an IDS, for example,
  make sure the vendor supports it or has plans for doing so.

© 1996-2006 Post-Newsweek Media, Inc. All Rights Reserved.

_________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]