How many devices reporting to your SIM / SEM?

Mon, Aug 7, 2006

I have been reading up lately on SIM / SEM products (Security Information Management / Security Event Management). There is such a wide range of options and architectures available. One metric I consistently see is Events Per Second. There are devices that reportedly handle anywhere from 50 to over 10,000 Events Per Second and feeds from 100’s of devices. I would like to put that into real world perspective.

I have a couple questions to those of you who have deployed SIM / SEM technology.

1. How many devices are sending information to your SIM?
2. Is the SIM / SEM handling the load or is it sluggish when running reports, etc.
3. Are you using your SIM / SEM for reporting or real-time activities?

I don’t care so much as to the vendor, this isn’t for any type of bake off. I’d love to hear any SIEM related stories or experiences as well. Any responses will NOT be published on the blog unless you specifically want me to.

–Chris

Technorati Tags: Security Event, Security Information, SIM, SEM

Popularity: 6% [?]

This post was written by:

Chris Harrington - who has written 159 posts on InfoSecPodcast.com.

Contact the author

1 Comments For This Post

Christofer Hoff Says:
August 10th, 2006 at 1:29 am

Hi Chris…

Recalling a past life, I implemented a mid-tier SEIM tool which I orginally deployed as a centralized log consolidation and archival platform which, over time, evolved with the vendor’s software to a full-fledged SEIM solution.

We had approximately 250+ Windows (NT, 2K, 2K3) servers, some linux and a 4 firewall clusters (Crossbeam, Nokia, Pix) and some IDP reporting via various conduits: LEA, Syslog, SNMP, and Windows Events. This did not make up the entire enterprise, but rather things that provided critical control or were high-value assets.

On average we hit over 3700 events per second with the bulk of the log entries coming from the rather noisy FW/IDP devices as well as the steady state Windows stuff.

Yes, the reporting tended to be slow(er than we would have liked) and we began to look at other alternatives as they came to market such as SenSage and LogLogic for the archival and fast search capabilities.

We used the dashboard for threshold notification (as realtime as it got for us) which triggered based upon device input and certain combinations/correlation of various abstracted/linked patterns indicating “anomalous” and potentially “bad” traffic.

Chris

Christofer Hoff Says:
August 10th, 2006 at 1:29 am
Hi Chris…

Recalling a past life, I implemented a mid-tier SEIM tool which I orginally deployed as a centralized log consolidation and archival platform which, over time, evolved with the vendor’s software to a full-fledged SEIM solution.

We had approximately 250+ Windows (NT, 2K, 2K3) servers, some linux and a 4 firewall clusters (Crossbeam, Nokia, Pix) and some IDP reporting via various conduits: LEA, Syslog, SNMP, and Windows Events. This did not make up the entire enterprise, but rather things that provided critical control or were high-value assets.

On average we hit over 3700 events per second with the bulk of the log entries coming from the rather noisy FW/IDP devices as well as the steady state Windows stuff.

Yes, the reporting tended to be slow(er than we would have liked) and we began to look at other alternatives as they came to market such as SenSage and LogLogic for the archival and fast search capabilities.

We used the dashboard for threshold notification (as realtime as it got for us) which triggered based upon device input and certain combinations/correlation of various abstracted/linked patterns indicating “anomalous” and potentially “bad” traffic.

Chris

InfoSecPodcast.com