NetIQ Security Manager has solid SIEM foundation

NetIQ's Security Manager is a suite of Microsoft Windows-based software applications that provide the security functionality to complement NetIQ's existing AppManager performance and availability products.

Editor's note: This is a summary of our testing of this product, for a full rundown of how it fared in our testing across SIEM categories; please see our full coverage.'s Security Manager is a suite of Microsoft Windows-based software applications that provide the security functionality to complement NetIQ's existing AppManager performance and availability products. NetIQ sells the Security Manager product as both a stand-alone offering and an integrated component of AppManager. In our tests, we deployed it solo. As it currently stands, NetIQ has the foundations of a good SIEM platform in place but Security Manager still requires improvements in a few critical areas.

NetIQ

Security Manager is the only product we tested that is delivered solely as software - a fact that yields a pretty high pain factor right from the get-go. Before we could even start the device provisioning process we had to first install four Windows 2003 servers, two instances of SQL Server 2005 (one Enterprise Edition), SQL Server 2005 Analysis Services, and SQL Server 2005 Integrated Services. These installations were performed on dual-processor, dual-core system with 4GB of memory, too, which is not exactly a lightweight helping of hardware. The Microsoft infrastructure had to be up and running before we could start the NetIQ software installation, which wasn't quick, either. After another set of about a dozen Security Manager component installations, we had to configure the NetIQ infrastructure, and then – and only then – could we start configuring devices to start sending log information.

A day of software installation, while painful, would have been tolerable if the pain ended there, but unfortunately it didn't. Because the NetIQ agents are unable to accept event feeds from differing device types (such as a Cisco firewall and a Snort IDS sensor) we had to deploy new agents for every new device type we brought online. Fortunately NetIQ is aware of this problem and plans on releasing a more mature syslog agent later this year, but this oversight makes the product a real bear on the installation-front.

Once up and running the product contains the basics of a SIEM platform: principle levels of correlation for event reduction, a reporting engine, an alert viewer and an analysis workbench. Unlike most of the other SIEM products tested, however, NetIQ requires the installation of Windows "fat" clients do be installed on monitored devices and there's an assortment of them that are used, as we've noted above.

NetIQ is in the middle of a user interface consolidation project, which is needed because some administrative features are available from the "Development Console" client, others from the "Security Manager Control Center" client, and some that reside in both. Not ideal, but this didn't bother us too much after we got used to the processes. It seems that the Control Center should be where most of the features will eventually wind up. To NetIQ's credit, the user interface is laid out fairly logically in Control Center. Those that are familiar with the toolbar and pane model used by Microsoft Outlook, will find it particularly easy to pick up on.

The most unique part of Security Manager is its viewer for the Forensic Analyst Reports. It provides a typical grid view of returning event data in sortable columns. What makes it unique is that you can drag critical columns to a special area of the screen and it will dynamically sort the results, collapse like fields, and create pivot points for further drill-down and expansion. This makes it a lot easier to view larger volumes of data on one screen and "slice and dice it" when doing incident investigation work. The tool is quite helpful and it would have been nice to have this functionality in the other products.

Unfortunately, like with the High Tower product, adhoc querying appears to have been an afterthought in Security Manager; you have to use the same reporting mechanism to search for individual pieces of data that involves clicking through templates again, and again, and again. It's doable, but quickly becomes tedious when you want to locate specific pieces of information across a large set of data. This is precisely why we turned to Q1 Labs and TriGeo's products for these types of queries.

NetIQ's pricing model varies per device type (a router costs $250 a node and a Windows server is $800) which, unlike the simple events per second models that High Tower and Q1 employ, makes it an ongoing concern when adding new devices to your infrastructure. It will be interesting to see how the product evolves as a lot of the basic pieces for SIEM are in place, and NetIQ obviously has an advantage with its AppManager business when it comes to network operations center and security operations center convergence. However, in its current form it definitely has substantial room for improvement.

< Return to main test: SIEM tools come up short >

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10