EIQ Networks offers unique presentation features, but underlying SIEM needs some improvement

EIQ Network's SecureVue is a multi-function product that offers SIEM functionality as one of its many components.

Editor's note: This is a summary of our testing of this product, for a full rundown of how it fared in our testing across SIEM categories; please see our full coverage.

EIQ Networks' SecureVue is a multi-function product that offers SIEM functionality as one of its many components.

EIQ has taken a somewhat novel approach of gathering not only traditional device events and vulnerability information but also configuration and performance data. The product has one of the widest ranges of device support that we tested, and has the product's abilities to profile hosts via configuration "snapshots" and provide 3D views of events are certainly useful features. Unfortunately, the user interface is a bit rough. And, more seriously, it's pricey and many of the supporting tools are quite limited in functionality which makes it hard for us to recommend SecureVue for many traditional SIEM uses. That said, it was outside the scope of our test to explore SecureVue's non-SIEM-like functions – such as it's auditing and compliance management wares -- to see if they make up for the SIEM shortcomings.

SecureVue came to us on an Intel-based appliance running Windows 2003 eIQ Networks offers unique presentation features, but underlying SIEM need some improvement. eIQ Networks has done an impressive job of writing parsers for a wide range of formats and device types, and although the provisioning of new devices wasn't as smooth as High Tower's process, it was pretty close. We were also really impressed by SecureVue’s parsing editor; the tool allowed us to take log data of an unknown type, import it, and then select and match relevant fields (e.g. source IP address) by doing nothing more then highlighting the text on the screen. Very slick.

What we struggled with in our day-to-day use of the product was the awkward paths we had to take to view the data. For example, in most of the SIEM tools we tested there was an event overview table of some sort that allowed us to view all correlated alerts in real-time. Drilling-down into a correlated event to reveal the "trigger" events was usually a mouse click away, and double-clicking further lead us to the raw event log itself. Using SecureVue accomplishing the same tasks takes multiple steps; clicking on an alert leads you to a forensic report query, which then launches a different window to present the events leading up to that trigger. Once there, the event viewer was relatively inflexible; we couldn't easily sort on columns, re-arrange columns, or do any of the data "slicing and dicing" we wanted to do when performing initial investigative tasks.

The default correlation rules also seemed limited in their effectiveness. For example, over the course of our testing of SecureVue, there were less than a dozen correlation rules that fired, and many of the attack patterns (for example, an intrusion-detection system (IDS) event followed by failed logins and then successful authentication and host activity) recognized by the other tools went unnoticed by SecureVue. The correlation engine is also somewhat “hard-coded” in that it doesn’t allow you to edit much of the underlying logic. We found ourselves stuck configuring the specific parameters of a rule (e.g. thresholds and time limits) and unable to create more complex rules. It would have been nice to see a more open rule set and a bit more active correlation being delivered out of the box.

In addition to the parsing toolkit we did find one other unique SecureVue feature that we really liked, however: the Visualizor component. This a visualization engine that plots data on a three-dimensional rotate-able plane. You can launch this tool from the main user interface for performing ad hoc visualization tasks against data stored in the product, but it can also be enabled from forensic reports. We found it to be very useful for easily spotting items in larger, more complex data sets where multiple alerts and hosts were involved. For example, we had a set of about 15 IDS events we wanted to investigate further and were able to isolate a supporting set of event data. While viewable as text in a table, sending it to the Visualizor for 3D plotting made it a lot easier to spot relationships between hosts that might require further investigation. Unfortunately SecureVue doesn't allow for a lot of further data manipulation and querying once you are working within the Visualizor tool, so we were hopping in and out of it frequently. With some additional feature expansion, the Visualizor could be a pretty compelling differentiator.

Like Checkpoint, eIQ Networks has already built the necessary foundations for a good SIEM product, and when it comes to the Visualizor and parsing editor it’s even a bit ahead of the market. But the product needs significant improvement in a number of essential areas and with a suggested starting price of $50k for the software version ($70k for the appliance) it’s not priced very competitively. Fortunately eIQ is releasing v3.1 of the product later this year which we have been told addresses many of the existing shortcomings. We will certainly be keeping a look out for it.

< Return to main test: SIEM tools come up short >

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey 2021: The results are in