Re: SIM/SIEM sample RFP

[Greg Vickers <g.vickers () QUT EDU AU>]

Hi Jason,

Youngquist, Jason R. wrote:
> Does anyone have a SIM/SEIM sample RFP or recommendations on SIMs?  We
> are looking for SIM products similar to Cisco MARS and Q1 Radar.   The
> SIM needs to be cost effective, able to collect log data from multiple
> sources, correlate it, look for abnormal behavior, take automatic/manual
> action against malicious activity, and generate detailed and summarized
> reports for management.

We did a fairly comprehensive review of SEM/SIM technology in early 2005
and here is a copy and paste of the review criteria we used:

* Ability to process up to 500 events per second
* Ability to receive/retrieve updates about global events, i.e. new
vulnerabilities
* Ability to send jobs to a job tracking system
* Ability to specify multiple users and demarcate what
information/alerts/hosts those users can see
* Audit trail creation to show actions during a response to a security
incident
* Automate security responses - may restrict or stop potential or
possible attacks
* Comply with government regulations and make or show how to comply with
QUT internal policies
* Cost – Equipment (higher score reflects lower cost)
* Cost – Software (higher score reflects lower cost)
* Enforce internal security policies
* Installed and provisioned to QUT
* ITIL compliant
* Provided as a managed service
* Receive/retrieve logs/events from current QUT network infrastructure1
* Replay ability - to review attacks or events
* Report on history of security events
* Report on types of activity observed (virus/exploit/scanning)
* User Interface – look & feel
* User Interface – usability

We got carried away and allocated a weight to each criteria as well as
how well a given product scored - some of our criteria were critically
important to us (like UI) and we wanted to have that reflected in how
well a product scored.  Some of these criteria may not apply in your
situation, we wanted to be able to have many people able to access this
system (up to 50+ across the University) hence the importance of the UI.

We also scored the manufacturer and where applicable, the vendor,
against the following criteria:
* Established
* Reputable
* Australian based
* “Feel” - our customer service experience
* Experienced in Government or Academic sector

Again, pick which is applicable to you.

We had 21 responses, and two vendors put forward the same product, so it
was interesting to see the two different approaches to presenting the
same product... but anyway, that product wasn't selected in the end :p

Our four top scoring products were (in alphabetical order):
(Company, Product)
Intellitactics, Security Manager
OpenService, Security Information Manager
Sensage, Enterprise Security Analytics
Tier-3, Huntsman

Since our review was two years ago, the SEM/SIM market will have changed
fairly significantly since then, and the biggest factor in how suitable
a given product is for your organization, is how well it meets the need
you are trying to fill.  So none of the above products may meet your need.

If you are looking for a list of market leaders, check out the Gartner
'07 report on the SEM/SIM market place.

Good luck,
--
Greg Vickers
IT Security Engineer & Project Manager
IT Security, Network Services,
Information Technology Services
Queensland University of Technology
L12, 126 Margaret St, Brisbane

Phone: +61 7 3138 9536
Mobile: 0410 434 734
Fax: +61 7 3138 2921
Email: g.vickers () qut edu au
IT Security web site: http://www.its.qut.edu.au/itsecurity/

CRICOS No. 00213J