Security event management software

The power and complexity of NetIQ's Security Manager 5.0 - the latest version of the company's security event management product - is well masked by its consistent user interface and overall ease of use.

When we first tested security event management products late last year, NetIQ opted out because it was working on this new version of its product. Measured using the same methodology as our original test, Security Manager 5.0 places a close second to ArcSight's ArcSight 2.5 product, which earned top honors (see "ArcSight's flexibility and interface helps it lead the pack of security data organizers"). Security Manager is easy to install and is scalable, but the ArcSight product supports more devices out-of-the-box and has a slightly better GUI.

Security Manager comprises three main components: Event Manager, Intrusion Manager and Log Manager. Event Manager is the central console that manages and displays security events. Intrusion Manager watches incoming logs for signs of intrusion and either generates alerts or takes a defined action when an incident is suspected. Log Manager is the workhorse, handling collection, standardization and archiving of all managed logs. In our tests, we installed all components on one server without running into performance issues (see How we did it). For a production environment where you would watch a large number of events, you'd probably want to split these components up onto multiple machines.

Security Manager is an agent-based product, with agents available for servers running various flavors of Windows and Unix/Linux. These agents cull the servers' event logs. They perform initial rule analysis on the incoming events and forward them to a central database. Security Manager also includes a proxy agent - which must reside on a Windows machine - that effectively acts as a syslog server and taps into other security and network devices such as firewalls, intrusion-detection systems and routers.

Security Manager uses wizards to perform most tasks, such as agent installation and correlation definition. This is one of Security Manager's greatest strengths, as each wizard maintains a consistent interface to minimize training. We used the agent installation wizard to install agents on our Windows and Unix systems, and to install proxy agents to capture Check Point, Snort and Cisco switch logs. Setup for Snort logging was simple and took just minutes following the instructions provided in the Security Manager documentation.

Security Manager provides out-of-the-box support for many of the leading products on the market, such as Check Point and Snort, although it supports fewer than other products we tested. Through the NetIQ Development Console, administrators can create new data providers to handle logs from in-house applications or other third-party products not initially supported. We would like to see a data provider configuration wizard to make this setup process more consistent with the rest of the product.