Security event management software

NetIQ’s Security Manager 5.0 does an impressive job sorting through security.

The power and complexity of NetIQ’s Security Manager 5.0 – the latest version of the company’s security event management product – is well masked by its consistent user interface and overall ease of use.

When we first tested security event management products late last year, NetIQ opted out because it was working on this new version of its product. Measured using the same methodology as our original test, Security Manager 5.0 places a close second to ArcSight’s ArcSight 2.5 product, which earned top honors (see “ArcSight’s flexibility and interface helps it lead the pack of security data organizers”). Security Manager is easy to install and is scalable, but the ArcSight product supports more devices out-of-the-box and has a slightly better GUI.

Archive of Network World reviews

Subscribe to the Product Review newsletter

Security Manager comprises three main components: Event Manager, Intrusion Manager and Log Manager. Event Manager is the central console that manages and displays security events. Intrusion Manager watches incoming logs for signs of intrusion and either generates alerts or takes a defined action when an incident is suspected. Log Manager is the workhorse, handling collection, standardization and archiving of all managed logs. In our tests, we installed all components on one server without running into performance issues (see How we did it). For a production environment where you would watch a large number of events, you’d probably want to split these components up onto multiple machines.

Security Manager is an agent-based product, with agents available for servers running various flavors of Windows and Unix/Linux. These agents cull the servers’ event logs. They perform initial rule analysis on the incoming events and forward them to a central database. Security Manager also includes a proxy agent – which must reside on a Windows machine – that effectively acts as a syslog server and taps into other security and network devices such as firewalls, intrusion-detection systems and routers.

Security Manager uses wizards to perform most tasks, such as agent installation and correlation definition. This is one of Security Manager’s greatest strengths, as each wizard maintains a consistent interface to minimize training. We used the agent installation wizard to install agents on our Windows and Unix systems, and to install proxy agents to capture Check Point, Snort and Cisco switch logs. Setup for Snort logging was simple and took just minutes following the instructions provided in the Security Manager documentation.

Security Manager provides out-of-the-box support for many of the leading products on the market, such as Check Point and Snort, although it supports fewer than other products we tested. Through the NetIQ Development Console, administrators can create new data providers to handle logs from in-house applications or other third-party products not initially supported. We would like to see a data provider configuration wizard to make this setup process more consistent with the rest of the product.

The Security Manager administrative interface operates as a Microsoft Management Console snap-in, so all aspects of this product are managed through a standard Windows interface. A Web console is also available. One nice feature to both interfaces is an easy access icon in the system tray that quickly launches commonly used wizards and consoles. Security Manager includes numerous different consoles – Analysis Console, Development Console and Incident Management Console, which are all accessible through the main Monitor Console.

Creating event correlation rules is also a simple process through the Correlation Wizard. We created our test correlation rules in minutes. Development Console also can be used to fully customize your rules.

A unique feature in Security Manager is the Incident Management component. Here, Security Manager can watch incoming events for signs of a known attack and alert security administrators when it finds something suspicious. Security Manager also includes some incident-tracking options, which let administrators enter company-related comments for flagged incidents.

Security Manager includes more than 300 default views of the data and reports of the data stored in the database. The three main categories are forensic, trend and summary reports.

Security Manager is a strong product in the security event management market. Its fairly Windows-centric design might not fit all organizations, but its ease-of-use while maintaining a high level of flexibility and complexity is impressive.