|
Customers have come to recognize the value of security information and event management in centralizing logs and consolidating their storage and analysis capabilities. This greatly enhances a company's regulatory compliance and reporting capabilities.
Security information and event management tools provide excellent forensic, security and troubleshooting capabilities, and they can be used to streamline and improve operational efficiencies by automating report generation. With so many interconnected devices on networks, it's important to be able to distill gigabytes of data about the networked infrastructure into easily digestible, actionable intelligence.
You won't have a problem configuring hardware to output its logs somewhere, but recommending the right security information and event management product for the customer depends on what they want to learn from those logs. There are products that excel at consolidating logs from disparate devices and managing them, while other solutions focus on normalization, correlation, data mining and alerting on the collected log output. There aren't a lot of products that do both sets of things well, especially when targeting the cost-conscious small to midsized business (SMB) market.
If the customer wants to centralize logs from any number of heterogeneous networked devices, there are quite a few commercial off-the-shelf and open source solutions available. These generally rely on SYSLOG as the logging mechanism, and you can turn a networked server or PC with lots of storage into an excellent log consolidation and basic analysis platform.
If the requirements of the customer extend beyond consolidation, management and basic analysis in a cost-effective package, the pickings become slimmer. Further, the operational requirements and technical skill set of the operator becomes very important. Normalizing what might be dozens of disparate log structures and messages into a common format, consolidating them, parsing them and producing streamlined alerting doesn't come cheap – either computationally or operationally.
If the customer does not already centrally collect and archive their logs, suggest that they start there and build a mature set of processes that will let them grown into a security information and event management solution from an operational cost/benefit model. The effort required to configure the log sources as well as the security information and event management tool can be large, so it is critical to crawl before running. Also, companies must quantify the impact on the devices generating the logs. Some products require agents to be installed on hosts.
Work diligently with the customer to establish the requirements and expectations for the solution, making sure to underscore the expected deliverables. Make sure that the log sources and formats from the devices are supported by the solution, because custom configuration can add unexpected costs and implementation delays to a project.
It's clear that there are security information and event management products available from leading vendors targeted at the small to midsized business (SMB) market, but it's also clear that the difference between failure and success in implementation is the value you add in matching a company's requirements with the capabilities and operational overhead that a solution brings.
|
