[ISN] RFP checklist: Security information management

InfoSec News isn at c4i.org
Tue Apr 25 03:27:39 EDT 2006 

http://www.gcn.com/print/25_8/40435-1.html

By David Essex
Special to GCN
04/17/06 issue

Looking to deploy a security information management solution? Before 
sending out an RFP or RFI, experts say you should consider the 
following: 

* Begin with the end in mind. Ask yourself what you want to achieve 
  with a SIM system, regardless of how you get there. Pay special 
  attention to the workflow between your security and operations teams, 
  and the reporting requirements of federal regulators such as the 
  Homeland Security Department's US-CERT. Business process, not 
  network architecture, is what really drives a SIM system. 

* Outline the additional, survivable storage infrastructure that may 
  be needed to keep SIM data not only available to security analysts 
  but archived for compliance. You might need to design a storage 
  hierarchy and buy new RAID devices, storage area networks and 
  appliances to ensure SIM data is available for a multitude of 
  security and compliance purposes, but at a cost that doesn't break 
  the budget. 

* Ask vendors how their products employ caching, failover and 
  redundancy in order to respond to a database crash. Don't overbuy 
  if your needs are modest enough to be served by an affordable 
  appliance that doesn't have failover features. 

* Choose your database wisely. Most vendors offer so-called 
  open-standards databases such as Oracle, but may keep their 
  programming hooks private. Some claim their proprietary databases 
  have performance and analytical advantages over more generic 
  relational databases. 

* Make sure the SIM product can collect all your relevant data, not 
  just from intrusion detection systems, firewalls and other security 
  devices, but also from operating systems and both custom and 
  commercial applications. If there's no prebuilt connector for a data 
  source, take a look at the vendor's integration wizards and support 
  services. 

* Ask the vendor how easy it is to customize the tool's correlation 
  rules to suit your unique environment. 

* Scrutinize scalability. Besides handling your current load of 
  security events (probably a bytes- or events-per-second number 
  that you already know), SIM solutions should scale up and out to 
  meet your anticipated growth. 

* Ask vendors to explain the assumptions behind their performance 
  metrics, which can vary. Rule of thumb: The more devices to monitor, 
  the heavier the data load. But be aware that once chosen, the vendor 
  will work closely with your agency to get a handle on your environment. 

* Look for a healthy complement of canned report formats for key 
  compliance regulations, especially FISMA, GLBA and HIPAA. 

* Watch out for version dissonance between your security devices and 
  the SIM product. If you’ve recently upgraded an IDS, for example, 
  make sure the vendor supports it or has plans for doing so. 

© 1996-2006 Post-Newsweek Media, Inc. All Rights Reserved.

More information about the ISN mailing list