Symantec SIM brings friends

What is it, one might reasonably ask, that separates a SIM (security information manager) from a basic log-file aggregator? Both will, of course, aggregate log files, but a SIM must go further, gathering incident alerts and status conditions from a variety of network security and infrastructure sources. A good SIM will then add some intelligence to the mix, helping the security engineer figure out which information is worth his or her immediate attention and which can be ignored until time to pass a compliance audit.

This last step separates the very good SIM from the merely competent, and it's where the security intelligence found in the Symantec SIM (SSIM) 9650 appliance shines. Like many SIMs, the Symantec system improves with each new data point (that is, component providing data) it has to chew on. Unlike many SIMs, Symantec's has its own Global Intelligence Network of analysts, experts, and OPSIMs (other people's SIMs) to throw into the intelligence mix.

If your network can provide a deep pool of data for the Symantec SIM to swim in, it can provide a wealth of detailed information to your security engineer. Be aware, though, that this isn't a product for security novices. If you think of it as an able assistant to your in-house security expert, you're on the right track. Given the system's intelligence, it might be tempting for admins to treat the tool as an expert replacement. Doing so in a small network with relatively few data sources, you're likely to be disappointed. If, on the other hand, you put one of these in a rich network beside a capable security staff, you'll find it a truly valuable addition to your security infrastructure.

Looking at the network

As SIMs go, Symantec's installs quickly. When you first connect to the SSIM appliance, you download the GUI app and get started. You'll find two logical applications built in to the device: a Web interface for simple administration tasks and a dedicated GUI application for most of the heavy lifting in configuration and analysis.

In my testing, the setup process went smoothly. I experienced just a couple instances of whining because of some quirks in my test environment. The SSIM system isn't particularly happy if you try to sequester it away from DNS (though it will operate after complaining for a few moments), and it uses self-signed certificates that are going to make some desktop clients antsy. As I said, for most production deployment, neither of these will be an issue, but there they are.

There are three broad areas of activity required to get you started: building an asset table, scanning for vulnerabilities, and establishing initial rules. You can perform that asset-table build either manually or automatically. Manual means either entering information through the keyboard (not recommended) or importing tables from just about any popular asset management system. If you don't have an existing asset table handy, the SSIM will build a table by sniffing the traffic on the network -- no active probing goes on. If you already have an asset management system in place, you'll want to import the information so that it will be consistent across systems. If you haven't taken the asset management step, discovery works well, though you'll want to go back into the descriptions to add details (regarding certain system details and asset criticality) that just can't be determined from network traffic alone.

The vulnerability scan is, of necessity, more active and intrusive. The system scans the network and compares the results against known vulnerability databases such as the National Vulnerability Database and the Open Source Vulnerability. The scan is the most benign sort; the SSIM doesn't try to confirm the vulnerability by conducting an exploit.

With assets and vulnerabilities in the database, I looked at the rule set that shipped with the SSIM and found not much there: around 40 rules populating the set. The slim rule set might seem inadequate, but Symantec explained it's a simple baseline; most of the production functionality comes from active data collected and is correlated during operations. I found that to be true, as the SSIM was able to construct information for reports and issue alerts based on information it received and built upon during the test. It's certainly possible to add specific rules yourself, but the need to do that should be limited to unusual cases in your particular network

When networks go bad

For most security analysts, the SSIM dashboard will be the primary window into the appliance's operation. The dashboard grants a real-time view of system operations, and it's customizable across a variety of different values, including the usual criteria you want to see (top talkers, top destinations, alerts, and warnings) and others that are specific to the SSIM, such as alerts from the Global Intelligence Network. The dashboard is tightly tied to the GUI application but can be detached and run on a separate monitor while the GUI continues in administration mode.