Symantec SIM brings friends

The SSIM offers a dedicated report manager, which includes a built-in library of 273 queries that can be optimized for specific business needs. Among the queries are those designed for compliance reporting based on all the major federal regulations. Admins can modify the reports to meet the templates required by various compliance auditing organizations, though it's important to remember that SSIM isn't going to roll up all the reports you'll need for most audits. You can count on it for summaries, but the details will still come from individual components.

The positive aspects of event correlation and the Global Intelligence Network start to become apparent when the SSIM issues individual incident alerts and warnings. The system will gather the information from the various components on the network and apply filters and rules to determine whether any given event is a simple anomaly or part of a larger issue, indicating malicious behavior. When an alert is issued, it comes with diagnostic information and possible mitigation steps based on data from the GIN. Information from the GIN also plays a significant role in determining the incident priority, based on type; target vulnerability, target sensitivity, and data sensitivity (the last two coming from data stored in the asset tracking table) also go into the calculation. Based on all this information, the SSIM will write a trouble ticket and provide some fairly basic ticket-tracking capabilities.

I found my only real disappointment with the SSIM to be the trouble-ticket feature. Although the SSIM issues trouble tickets and allows some rudimentary manual ticket tracking, it's not a real trouble-ticket system. For example, the system will generate an initial ticket and allow you to manually close the ticket, but there's no way to track the progress of a ticket, assign fine-grained assets to the ticket, or measure the effectiveness of the given assets in resolving issues. In short, the SSIM will spit out a trouble ticket, but that pretty much ends the system's involvement in resolution management. That might be OK if Symantec provided hooks into existing trouble-ticket systems, but it doesn't. I'm all right with the SSIM not being a trouble-ticket system on top of the other benefits it provides. Further, given a choice between not offering a trouble-ticketing system at all and offering a very rudimentary one as part of an otherwise complex product, the former makes sense. Still, I strongly recommend that Symantec spend some time on this shortcoming before the next major release.

Who needs a SSIM?

All told, Symantec SIM should be a fine fit in many enterprises, especially those that haven't rolled their own set of reports and functions within an enterprise network management framework. The greatest benefit, though, would be to companies from the middle to the top of the SMB market; there likely would be a reasonable number of network components, but for which the Global Information Network would provide a real benefit in terms of additional correlation information. These "Big SMB" organizations will also likely have a competent security professional, but one who might well appreciate a bit of additional intelligence when it comes to figuring out what's happening across the network.

The Symantec Security Information Manager 9650 is a solid piece of network security infrastructure that's in the prime of its product life: old enough for serious development to have taken place, but not past its peak. It's at the perfect point for serious consideration if you're looking for a quality SIM.

The Bottom Line: Symantec Security Information Manager 9650

Overall Score: Very Good, 8.2
Manageability: 9/10
Policy Enforcement: 8/10
Scalability: 8/10
Reporting: 7/10
Setup: 9/10
Value: 8/10
Bottom Line: The Symantec Security Information Manager is a highly capable system that leverages the power of the Global Information Network to bring significant security intelligence to bear on network security events. While the SSIM isn't inexpensive, when compared to the price tag for hiring additional network security personnel, it could be an extremely cost-effective boost to your IT security capabilities.
Cost: SSIM 9650 hardware: US$12,995; SSIM 9650 software license and maintenance: US$40,000; license and 12 months of Essential Maintenance coverage per monitored server: US$200; license and 12 months of Essential Maintenance per monitored workstation: US$3
Platforms: Rack mount, 2U form factor; two (2) Dual Core Xeon 2.66GHz processor with 4MB cache 1.3GHz front-side bus; 8GB 533MHz (4x2GB), dual-ranked DIMMs; 8X DVD-ROM; three years, four-hour, 24/7 onsite service post-problem diagnosis; PERC 5/i, x6 Backplane Integrated Controller Card; two (2) 146GB, SAS, 15,000-rpm hard drives, Raid 1 configuration; four (4) 300GB, SAS, 10,000-rpm hard drives, Raid 5 configuration; dual embedded Broadcom NetXtreme II 5708 Gigabit Ethernet NIC 3) PCIe slots; redundant power supply with dual cords; fifth-generation remote access card