High Tower's SIEM strength lies in its simplicity

Editor's note: This is a summary of our testing of this product, for a full rundown of how it fared in our testing across SIEM categories; please see our full coverage.

The strength of High Tower's Cinxi SIEM lies in its simplicity. It isn't as feature-rich as other products on the market, but much of what it does do, it does fairly well.

The product is delivered as an appliance that is Intel-based, includes a crypto accelerator in hardware (for high-volume event signing) and runs Linux under the hood. The user interface is Java-based and requires also running client applet that is delivered via a standard Web browser. Cinxi's user interface was by far the easiest to use, which we attribute to good design and a simple layout.

High Tower's product is also the simplest to deploy because of its auto identification of devices, which it calls "candidates". Cinxi was up and collecting data in literally minutes, and when we brought new systems online in our environment it was a snap to get them properly identified.

Cinxi comes with a set of about 70 predefined correlation rules that help with event reduction. We found them to be pretty useful, but overall not as effective as the rules in Q1 Labs' QRadar product, and a number of them we eventually decided to disable outright because of false-positive problems. The rule language is also not as advanced or as granular as other products tested. For example, you can create rules such as "if an event in category X occurs and an event in category Y occurs within a six-minute period, generate an alert" but you couldn't do anything as sexy as "if you see a successful login from Madagascar send an e-mail to network administrator Z."

Cinxi also includes an event handling ticketing system that allows you to easily create and assign cases to individuals. The "add to case" right-click option on any alert was a nice touch. Again, Cinxi shined when it came to easy-to-use tools and drill-down options.

Cinxi's biggest shortcomings are related to its reporting and adhoc querying mechanisms. On the reporting front Cinxi has a minimal set of pre-canned reports and the delivery format is limited to CSV files and occasional PDF support. High Tower recommended that we install the Crystal Reports Viewer to make these reports a little more digestible, and while that did help in their overall presentation, the reporting mechanism remains limited in functionality. The adhoc query mechanism was far worse. Like NetIQ's Security Manager, Cinxi doesn't distinguish between adhoc queries such as "Show me everywhere userX has logged in from" and a run-of-the-mill reports. You have to fill out a form and submit everything as a report request – the concept of a quick lookup needed by most in-depth investigative efforts is non-existent. Complicating matters, when we did submit some adhoc queries searching for specific usernames and IP addresses our reports often took minutes – sometimes 10 or more – to return. Response times like these are not going to be acceptable for organizations that plan on doing a heavy load of investigations.

Fortunately High Tower is aware of both of these shortcomings and is making moves to address them. According to company representatives, High Tower will be introducing an add-on security log exploration appliance powered by Splunk in July, and a revamp of the reporting system is due out later this year.

In its current form, Cinxi represents an interesting compilation of features. It has the hardware horsepower to tackle high events per second-environments and many of the features that large organizations will want, but its simplicity will attract organizations that don't want the complexity of products like NetIQ's Security Manager or Q1 Labs' QRadar. Cinxi is best suited for midsized businesses (especially with a starting price tag of $18,000) but it will be interesting to see how it will stack up once the pending improvements have been rolled out.

< Return to main test: SIEM tools come up short >

Learn more about this topic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.