Review: SIM Offers Bang For Buck


Enterprise security has become one of the biggest headaches for busy systems administrators. Add to that the requirements of regulatory compliance and administrators can find themselves quickly overwhelmed. Looking at the situation mathematically creates a formula that basically translates to security + compliance = complexity, an equation that was only solved by a combination of time and money.

Symantec is looking to solve those problems with its latest release of Security Information Manager (SIM), an appliance that delivers the big picture of security management to the harried administrator. While the product has been around for some time, the recently released version 4.5 offers extensive enhancements that make it worth considering for today's compliance-driven enterprises.

Some customers may experience sticker shock over the $50,000 starting price, but in reality, the device may deliver cost savings in the first year by enabling customers to reduce IT management staff. What's more, when one considers the fines assessed for compliance violations that the appliance can prevent, the device could pay for itself quickly.

Although SIM 4.5 is billed as a security appliance, the unit's real power comes from management and reporting. Simply put, SIM 4.5 is all about providing administrators with knowledge that helps them manage network security, remediation and compliance.

The device makes use of event collectors, which are deployed throughout the network to gather and analyze security data. Symantec provides more than 100 collectors for a variety of hardware and software security products—even those from competitors—such as firewalls, vulnerability scanners, and antivirus and other security solutions for monitoring and analysis.

That data collection process feeds a security dashboard that offers a bird's-eye view of network security in realtime. All of the gathered data is stored in highly compressed logs and can be analyzed and reported on later.

SIM 4.5 is currently only available as an appliance, but with Symantec's desire to get out of the hardware business, the company has shifted over to industry-standard hardware to simplify maintenance and support. The device from the outside looks like a typical rackmount server—basically because that's all it is. Opening up the device exposes that there are no proprietary pieces of hardware, making the unit that much easier to service. In reality, the hardware is provided by Dell to Symantec for resale. Although the unit is well-built, Symantec would have been better served by selecting a more channel-friendly hardware partner than Dell.

CRN Test Center Engineers found that initial installation of the unit is straightforward but can involve a great number of steps. The complexity of installation is driven by the number of devices monitored on the network. Although the actual installation process proves to be quite simple, VARs should budget ample time for the integration of third-party security products. Once installed, the unit needs to gather data from various sources on the network before it can provide any truly useful information. Luckily, that process occurs rather quickly.

More on Symantec Security Information Manager 4.5Symantec has gone to great lengths to make sure the product is easy to operate. For example, administrators start with a browser-based dashboard that gives a quick overview of the security status of the network. The dashboard offers graphs, gauges and text that is fully customizable. The dashboard also provides global security intelligence, which represents the global security threat level. That metric proved to be useful to calculate how well-hardened the network is during high-profile Internet security compromises.

Of course, the dashboard is only the starting point for managing network security. The browser-based console offers security administrators several menu choices to manage and report on network security. An incident view offers insight on the status of security incidents. Administrators can quickly see if incidents are open, assigned or closed and who was accountable for resolving them. As with all console activities, the incident view allows administrators to drill down to individual assets or view status by groups.

A security events module is another powerful tool that provides forensic views of security issues by device and time slice. The time slice combined with the device view builds a histogram of events that assists in forensic analysis.

The device has the capability to report on present and past events, thanks to its impressive archiving capability. All archived data is stored in a proprietary database that offers 30-to-1 compression and can be stored directly on the device or on any remote network share. The unit's integrated event viewer can access that data to create a broad range of reports. All queries are fully customizable, can be built for particular users and were designed to generate specific reports. That reporting capability becomes a key factor when it comes to compliance auditing and reporting.

When it comes to gathering data, the unit uses a rules-based system that brings data into the archive and can be fine-tuned to specific needs or specific pieces of hardware and can be even be tailored to gather data based on certain network events.

Another area in which the device excels is asset management. The asset manager can be populated by a vulnerability scanner or other external data sources and can tie directly into a vulnerability, which then can be incorporated into the unit's integrated reporting.

SIM 4.5 also affords plenty of opportunity for VARs to bundle services and other products to garner long-term revenue.

Many customers will need specialized reporting or security remediation services that can be provided by the VAR. Companies also may need a solution provider to perform compliance reporting or, at the very least, to interpret the reports and create actionable tasks. The product also offers a solid foundation for identifying weaknesses in network security, a springboard for sales of additional security products.

When it comes down to it, Symantec offers a product that meets the needs of almost any enterprise looking to get a better handle on managing security, while still offering plenty of opportunity for the solution provider to sell security services. It strengthens their customers' networks and provides critical compliance reporting capabilities.