CheckPoint's SIEM software offers some good data viewing tools, but lacks other essential elements

Editor's note: This is a summary of our testing of this product, for a full rundown of how it fared in our testing across SIEM categories; please see our full coverage.

CheckPoint's Eventia is delivered similar to many of its other products as either a full-blown hardware appliance or as a "software appliance", which is essentially a CD set that installs a fresh Linux-based operating system (as modified by CheckPoint, of course) and the Eventia application on a range of Intel-based systems. CheckPoint delivered us a full-blown appliance for testing, but we also played around with the CDs themselves and found that the initial install of those would most likely be a cake-walk for just about any seasoned IT professional.

Eventia, like NetIQ's Security Manager, contains the basic components of a SIEM but falls behind in some feature areas we consider essential such as advanced reporting, strong support for non-CheckPoint devices and overall event reduction.

Unlike Security Manager, however, we were able to get Eventia up and running in less than one day. Eventia requires the installation of a number of Windows-based clients for administration including the Smart Dashboard, the SmartView Tracker and the Eventia Analyzer.

Eventia includes a healthy set of predefined correlation rules and to CheckPoint's credit, it's easy to get into the rule logic and see what the rules are doing. Eventia does require you to use different tools, however, even for performing sub-tasks of a common task. For example, the Eventia Analyzer is where you view correlated alerts. But if you want to view the raw log data that caused an alert, the Analyzer has to launch the SmartView Tracker tool. We'd prefer to drive the majority of event analysis from one tool, but to CheckPoint's credit the tools are successful at launching one another and placing you in the right spot.

CheckPoint also has a rather nice tool for building custom event handlers, helpful for the creation of devices that Eventia doesn't yet support or custom applications.

Eventia comes up a bit short in a few areas, however. For starters, its reporting system is really limited and when it comes to canned reports, it only includes a few default ones that cover non-CheckPoint devices. It also doesn't have any ability to rate or group assets, something that is one of the most basic of SIEM features. Its dash-boarding features aren't as comprehensive as those found in High Tower or Q1 Labs' products, and the event reduction is a start but we were still inundated with hundreds of events.

Considering its shortcoming, Eventia is only partially competitive in the commercial SIEM product space. However, Eventia is going to be a logical product to look at for any organization that is already running CheckPoint products. It uses a familiar delivery model, leverages existing tools such as Smart Dashboard, and it's one less vendor you'll have to deal with for support.

The question that needs to be asked, however, is what Eventia offers is "good enough" to overlook its faults? For organizations that don't need a full-featured SIEM the answer might very well be "yes". Looking ahead it will be interesting to see how competitive CheckPoint becomes in continuing to support devices from competitors such as Cisco, Juniper and IBM. It will also be interesting to see how many development resources the company puts behind making Eventia a more full-featured SIEM. The basics are in place, but will Eventia continue to evolve? Time will tell.