Educause Security Discussion mailing list archives
Re: SIM/SIEM sample RFP
From: Greg Vickers <g.vickers () QUT EDU AU>
Date: Fri, 7 Sep 2007 09:51:30 +1000
Hi Jason, Youngquist, Jason R. wrote:
Does anyone have a SIM/SEIM sample RFP or recommendations on SIMs? We are looking for SIM products similar to Cisco MARS and Q1 Radar. The SIM needs to be cost effective, able to collect log data from multiple sources, correlate it, look for abnormal behavior, take automatic/manual action against malicious activity, and generate detailed and summarized reports for management.
We did a fairly comprehensive review of SEM/SIM technology in early 2005 and here is a copy and paste of the review criteria we used: * Ability to process up to 500 events per second * Ability to receive/retrieve updates about global events, i.e. new vulnerabilities * Ability to send jobs to a job tracking system * Ability to specify multiple users and demarcate what information/alerts/hosts those users can see * Audit trail creation to show actions during a response to a security incident * Automate security responses - may restrict or stop potential or possible attacks * Comply with government regulations and make or show how to comply with QUT internal policies * Cost – Equipment (higher score reflects lower cost) * Cost – Software (higher score reflects lower cost) * Enforce internal security policies * Installed and provisioned to QUT * ITIL compliant * Provided as a managed service * Receive/retrieve logs/events from current QUT network infrastructure1 * Replay ability - to review attacks or events * Report on history of security events * Report on types of activity observed (virus/exploit/scanning) * User Interface – look & feel * User Interface – usability We got carried away and allocated a weight to each criteria as well as how well a given product scored - some of our criteria were critically important to us (like UI) and we wanted to have that reflected in how well a product scored. Some of these criteria may not apply in your situation, we wanted to be able to have many people able to access this system (up to 50+ across the University) hence the importance of the UI. We also scored the manufacturer and where applicable, the vendor, against the following criteria: * Established * Reputable * Australian based * “Feel” - our customer service experience * Experienced in Government or Academic sector Again, pick which is applicable to you. We had 21 responses, and two vendors put forward the same product, so it was interesting to see the two different approaches to presenting the same product... but anyway, that product wasn't selected in the end :p Our four top scoring products were (in alphabetical order): (Company, Product) Intellitactics, Security Manager OpenService, Security Information Manager Sensage, Enterprise Security Analytics Tier-3, Huntsman Since our review was two years ago, the SEM/SIM market will have changed fairly significantly since then, and the biggest factor in how suitable a given product is for your organization, is how well it meets the need you are trying to fill. So none of the above products may meet your need. If you are looking for a list of market leaders, check out the Gartner '07 report on the SEM/SIM market place. Good luck, -- Greg Vickers IT Security Engineer & Project Manager IT Security, Network Services, Information Technology Services Queensland University of Technology L12, 126 Margaret St, Brisbane Phone: +61 7 3138 9536 Mobile: 0410 434 734 Fax: +61 7 3138 2921 Email: g.vickers () qut edu au IT Security web site: http://www.its.qut.edu.au/itsecurity/ CRICOS No. 00213J
Current thread:
- SIM/SIEM sample RFP Youngquist, Jason R. (Sep 04)
- <Possible follow-ups>
- Re: SIM/SIEM sample RFP Wes Young (Sep 04)
- Re: SIM/SIEM sample RFP Harris, Michael C. (Sep 04)
- Re: SIM/SIEM sample RFP Greg Vickers (Sep 06)