What is it, one might reasonably ask, that separates a SIM (security information manager) from a basic log-file aggregator? Both will, of course, aggregate log files, but a SIM must go further, gathering incident alerts and status conditions from a variety of network security and infrastructure sources. A good SIM will then add some intelligence to the mix, helping the security engineer figure out which information is worth his or her immediate attention and which can be ignored until time to pass a compliance audit.
This last step separates the very good SIM from the merely competent, and it’s where the security intelligence found in the Symantec SIM (SSIM) 9650 appliance shines. Like many SIMs, the Symantec system improves with each new data point (that is, component providing data) it has to chew on. Unlike many SIMs, Symantec’s has its own Global Intelligence Network of analysts, experts, and OPSIMs (other people’s SIMs) to throw into the intelligence mix.
If your network can provide a deep pool of data for the Symantec SIM to swim in, it can provide a wealth of detailed information to your security engineer. Be aware, though, that this isn’t a product for security novices. If you think of it as an able assistant to your in-house security expert, you’re on the right track. Given the system’s intelligence, it might be tempting for admins to treat the tool as an expert replacement. Doing so in a small network with relatively few data sources, you’re likely to be disappointed. If, on the other hand, you put one of these in a rich network beside a capable security staff, you’ll find it a truly valuable addition to your security infrastructure.
Looking at the network
As SIMs go, Symantec’s installs quickly. When you first connect to the SSIM appliance, you download the GUI app and get started. You’ll find two logical applications built in to the device: a Web interface for simple administration tasks and a dedicated GUI application for most of the heavy lifting in configuration and analysis.
In my testing, the setup process went smoothly. I experienced just a couple instances of whining because of some quirks in my test environment. The SSIM system isn’t particularly happy if you try to sequester it away from DNS (though it will operate after complaining for a few moments), and it uses self-signed certificates that are going to make some desktop clients antsy. As I said, for most production deployment, neither of these will be an issue, but there they are.
There are three broad areas of activity required to get you started: building an asset table, scanning for vulnerabilities, and establishing initial rules. You can perform that asset-table build either manually or automatically. Manual means either entering information through the keyboard (not recommended) or importing tables from just about any popular asset management system. If you don’t have an existing asset table handy, the SSIM will build a table by sniffing the traffic on the network — no active probing goes on. If you already have an asset management system in place, you’ll want to import the information so that it will be consistent across systems. If you haven’t taken the asset management step, discovery works well, though you’ll want to go back into the descriptions to add details (regarding certain system details and asset criticality) that just can’t be determined from network traffic alone.
The vulnerability scan is, of necessity, more active and intrusive. The system scans the network and compares the results against known vulnerability databases such as the National Vulnerability Database and the Open Source Vulnerability. The scan is the most benign sort; the SSIM doesn’t try to confirm the vulnerability by conducting an exploit.
With assets and vulnerabilities in the database, I looked at the rule set that shipped with the SSIM and found not much there: around 40 rules populating the set. The slim rule set might seem inadequate, but Symantec explained it’s a simple baseline; most of the production functionality comes from active data collected and is correlated during operations. I found that to be true, as the SSIM was able to construct information for reports and issue alerts based on information it received and built upon during the test. It’s certainly possible to add specific rules yourself, but the need to do that should be limited to unusual cases in your particular network
When networks go bad
For most security analysts, the SSIM dashboard will be the primary window into the appliance’s operation. The dashboard grants a real-time view of system operations, and it’s customizable across a variety of different values, including the usual criteria you want to see (top talkers, top destinations, alerts, and warnings) and others that are specific to the SSIM, such as alerts from the Global Intelligence Network. The dashboard is tightly tied to the GUI application but can be detached and run on a separate monitor while the GUI continues in administration mode.
The SSIM offers a dedicated report manager, which includes a built-in library of 273 queries that can be optimized for specific business needs. Among the queries are those designed for compliance reporting based on all the major federal regulations. Admins can modify the reports to meet the templates required by various compliance auditing organizations, though it’s important to remember that SSIM isn’t going to roll up all the reports you’ll need for most audits. You can count on it for summaries, but the details will still come from individual components.
The positive aspects of event correlation and the Global Intelligence Network start to become apparent when the SSIM issues individual incident alerts and warnings. The system will gather the information from the various components on the network and apply filters and rules to determine whether any given event is a simple anomaly or part of a larger issue, indicating malicious behavior. When an alert is issued, it comes with diagnostic information and possible mitigation steps based on data from the GIN. Information from the GIN also plays a significant role in determining the incident priority, based on type; target vulnerability, target sensitivity, and data sensitivity (the last two coming from data stored in the asset tracking table) also go into the calculation. Based on all this information, the SSIM will write a trouble ticket and provide some fairly basic ticket-tracking capabilities.
I found my only real disappointment with the SSIM to be the trouble-ticket feature. Although the SSIM issues trouble tickets and allows some rudimentary manual ticket tracking, it’s not a real trouble-ticket system. For example, the system will generate an initial ticket and allow you to manually close the ticket, but there’s no way to track the progress of a ticket, assign fine-grained assets to the ticket, or measure the effectiveness of the given assets in resolving issues. In short, the SSIM will spit out a trouble ticket, but that pretty much ends the system’s involvement in resolution management. That might be OK if Symantec provided hooks into existing trouble-ticket systems, but it doesn’t. I’m all right with the SSIM not being a trouble-ticket system on top of the other benefits it provides. Further, given a choice between not offering a trouble-ticketing system at all and offering a very rudimentary one as part of an otherwise complex product, the former makes sense. Still, I strongly recommend that Symantec spend some time on this shortcoming before the next major release.
Who needs a SSIM?
All told, Symantec SIM should be a fine fit in many enterprises, especially those that haven’t rolled their own set of reports and functions within an enterprise network management framework. The greatest benefit, though, would be to companies from the middle to the top of the SMB market; there likely would be a reasonable number of network components, but for which the Global Information Network would provide a real benefit in terms of additional correlation information. These “Big SMB” organizations will also likely have a competent security professional, but one who might well appreciate a bit of additional intelligence when it comes to figuring out what’s happening across the network.
The Symantec Security Information Manager 9650 is a solid piece of network security infrastructure that’s in the prime of its product life: old enough for serious development to have taken place, but not past its peak. It’s at the perfect point for serious consideration if you’re looking for a quality SIM.