SIEM tools come up short

After 10 years on the market, products should be better at reporting, usability and advanced correlation features

1 2 3 Page 3
Page 3 of 3

But other companies have gone more complex (read potentially more expensive) routes. NetIQ and CheckPoint, for example, charge "per node," although what constitutes a node varies. TriGeo and eIQ charge for both the appliances and the number of nodes. While there are advantages to NetIQ's model (such as very low entry point) that doesn't include all of the required hardware, operating system and software costs (Microsoft Windows and SQL Server Enterprise). Ultimately either the prices for large deployments will need to come down or functionality will have to substantially advance, or perhaps a little of both.

What part of IT wants SIEM?

But some higher-level organizational changes are clearly ahead, too. Ones that may greatly affect which part of IT buys into the SIEM prospects.

As the roles within information security teams continue to evolve and many operational security functions settle into operational IT, there's little doubt that the demarcation point between traditional Network Operations Centers and its younger sibling - the SOCs - will eventually disappear. Time will tell which security functions will remain outside of operational IT, but few can debate that security can (and does) influence the classic IT tenets of performance and availability, and the eventual merger of the two is inevitable. This collision course has some potentially interesting ramifications, however. For starters, do classic network monitoring platforms start to include adequate security contexts, or do security platforms start including classic performance and availability monitoring?

We saw early signs of this collision years ago when products such as Tivoli attempted to provide security add-ons to an already established monitoring platform. It wasn't pretty then and historically the classic network monitoring platforms didn't have either the security "smarts" or the necessary capacity to address Infosec's differing problem-set, which is why few people remember failed attempts like the early versions of the Tivoli Risk Manager.

Here we are in 2008 and the big guys such as IBM and HP are acquiring and partnering to fill these gaps, but we don't see a clear winner on that front yet.

NetIQ is probably in the best position to gain ground here. Its App Manager suite is a well-established player in the IT operational realm and even though we had our complaints about Security Manager, it's certainly on the path to being a contender in this product space. NetIQ already has a module for basic Security Manager and App Manager integration, but we unfortunately didn't get an opportunity to test it.

Another interesting dynamic is that the correlation engines found in some of the more advanced SIEM products can be re-purposed to tackle more business-facing security challenges. 

For example, Joe Mcgee, the CTO from information security service provider Vigilant, has started customizing commercial SIEM products to help tackle fraudulent transactions in the online banking world. By doing some advanced mapping of custom applications, tracking user profiles, user behavior and items such as login locations, his company has been able to help clients reduce online fraud numbers. It's one thing to isolate that one IDS alert that matches a piece of vulnerability data, quite another to stop a fraudulent transaction before the company experiences an actual loss. The former provides a smidgen less of a headache for the average security analyst while the latter provides some tangible business value that even people outside of IT will understand. It's a no-brainer where decision makers should be looking to focus their energy. The more business-facing application of SIEM technology is a win for everyone; security, operational IT, vendors, and businesses all benefit. The question becomes, how soon can we get there?

After all of our installations, device provisioning, troubleshooting, struggling with expiring licensing keys, rule creations, customizations and late nights asking ourselves "where the heck did that come from?" one realization rose above everything else: not using technology to monitor event and log data is a bad risk management practice in 2008. But a close second was the realization that until the products become maturer across the board your decision really should be use-case based: know what features you require first, second and third, pilot before you buy, and know that this space is still maturing…and will continue to do so for at least the next few years.

Shipley is the CTO of Neohapsis, an information risk management consulting firm. He would like to thank Apneet Jolly and Leigh Hollowell from DePaul University for their assistance during the testing. Shipley can be reached at

Learn more about this topic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
IT Salary Survey 2021: The results are in