3.

Introduction There has been a clear increase in the adoption of Log management tools and SIEM (Security Information and Event Management) technology in the UK over recent months. It is generally considered that this increase is being driven by security and compliance needs, specifically PCI and GCSx. Funding for security information and event management (SIEM) technology deployments is driven in large part by the need to quickly address regulatory compliance issues but most organisations also want to use the data that is being collected to improve security monitoring capabilities. An optimal solution will: support the real-time collection and analysis of log data from host systems, security devices and network devices support long-term storage and reporting not require extensive customization and will be easy to support and maintain Other factors that should be considered include ease of deployment, ease of support and log management functionality and, to a lesser extent, advanced event management functions or the ability to heavily customise an SIEM deployment. An organisations product selection decision should be driven by the organisation-specific requirements in areas such as the relative importance of SIEM capabilities versus Log Management; the ease and speed of deployment; the IT organisation's support capabilities; and integration with established network, security and infrastructure applications. We have tried to provide some detail about some of the vendor offerings in the SIEM space relating to some of these requirements as well as other information that may assist with determining the best solution for an organisation's needs. For the benefit of this report, these requirements have been categorised under the following headings; Architecture, Management/Administration, Supported Devices, and Reporting/Alerting. A breakdown of the information to be found within each of these categories can be found below: Architecture Product range Software or appliance Clustering options A brief summary of the product range including detail of various architectural components. Software or appliance based solution. Information regarding the HA/load balancing options for the product.

Management/Administration Installation A discussion on the ease of installation/deployment of the solution

SIEM/Log Management Analysis

Ease of administration Licensing Backup/restore Data Management Supported Devices Range of supported devices Log collection options for unsupported devices New device support Reporting/Alerting Compliance reports/templates Real time analysis General reporting capabilities Alert configuration Event correlation

A discussion on the look and feel of the GUI Information regarding the licensing of the product An overview of the available backup/restore options and process A summary of the data retention/deletion options

A review of how many devices are currently supported and whether support is available for the latest versions of those devices A summary of the available options for log collection for devices not 'officially' supported by the vendor Information regarding the frequency of updates for new device support

A review of which (if any) industry compliance standards each vendor has produced reports for A look at whether logs can be monitored in real time A general overview of the reporting capabilities (including scheduling options) A summary of the reports that can be configured (deviation from baseline, etc) Information regarding if and how events can be correlated to produce alerts.

What follows below is a report of some of the products in the Log Management/SIEM space against the requirements defined above as well as an overall summary of the product and their relative pros and cons. The products being reviewed are: RSA enVision Juniper Security Threat Response Manager (STRM) Check Point Eventia Analyzer LogLogic LogRhythm

Page 2