Watching carefully for signs of an attack

Watching carefully for signs of an attack

The power and complexity of NetIQ’s Security Manager 5.0 — the latest version of the company’s security event management product — is well masked by its consistent user interface and overall ease of use.

When we first tested security event management products late last year, NetIQ opted out because it was working on this new version of its product. Measured using the same methodology as our original test, Security Manager 5.0 places a close second to ArcSight’s ArcSight 2.5 product.

Security Manager comprises three main components: Event Manager, Intrusion Manager and Log Manager.

Event Manager is the central console that manages and displays security events. Intrusion Manager watches incoming logs for signs of intrusion and either generates alerts or takes a defined action when an incident is suspected. Log Manager is the workhorse, handling collection, standardisation and archiving of all managed logs.

In our tests, we installed all components on one server without running into performance issues. For a production environment where you would watch a large number of events, you’d probably want to split these components up onto multiple machines.

Security Manager is an agent-based product, with agents available for servers running various flavours of Windows and Unix/Linux. These agents cull the servers’ event logs. They perform initial rule analysis on the incoming events and forward them to a central database.

Security Manager also includes a proxy agent — which must reside on a Windows machine — that effectively acts as a syslog server and taps into other security and network devices such as firewalls, intrusion-detection systems and routers.

It uses wizards to perform most tasks, such as agent installation and correlation definition. This is one of Security Manager’s greatest strengths, as each wizard maintains a consistent interface to minimise training. We used the agent installation wizard to install agents on our Windows and Unix systems, and to install proxy agents to capture Check Point, Snort and Cisco switch logs. Setup for Snort logging was simple and took just minutes following the instructions provided in the Security Manager documentation.

Security Manager provides out-of-the-box support for many of the leading products on the market, such as Check Point and Snort, although it supports fewer than other products we tested.

Through the NetIQ Development Console, administrators can create new data providers to handle logs from in-house applications or other third-party products not initially supported. We would like to see a data provider configuration wizard to make this setup process more consistent with the rest of the product. The Security Manager administrative interface operates as a Microsoft Management Console snap-in, so all aspects of this product are managed through a standard Windows interface. A Web console is also available. One nice feature to both interfaces is an easy access icon in the system tray that quickly launches commonly used wizards and consoles. Security Manager includes numerous different consoles — Analysis Console, Development Console and Incident Management Console, which are all accessible through the main Monitor Console.

Creating event correlation rules is also a simple process through the Correlation Wizard. We created our test correlation rules in minutes. Development Console also can be used to fully customise your rules.

A unique feature in Security Manager is the Incident Management component. Here, Security Manager can watch incoming events for signs of a known attack and alert security administrators when it finds something suspicious.

It also includes some incident-tracking options, which let administrators enter company-related comments for flagged incidents. Security Manager includes more than 300 default views of the data and reports of the data stored in the database. The three main categories are forensic, trend and summary reports.

Security Manager is a strong product in the security event management market. Its fairly Windows-centric design might not fit all organisations, but its ease-of-use while maintaining a high level of flexibility and complexity is impressive.

Local information

The product is distributed in Australia by Data#3 and Guardian Mentor.

RRP: Pricing starts at $4545 for the console and $2000 per server.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


Show Comments