An Information Security Place

Commentary on the State of Information Security
Mike doesn’t like my SIM log format post - bull shitake!
Filed under SIM / SEM, Security

Mike Rothman takes issue with my SIM post.  Basically, I said that it is a good thing that Arcsight is trying to create a standard log format for SIM’s. Mike disagrees. 

Let it be known that I DO have a SIM in place now, and I have received some value from it.  I think the value that anyone gets from SIM depends a lot on how your environment and how the SIM is implemented.  This is the same as any security product.  Is SIM living up to it’s expectations?  No, it is not.  I agree with Mike on this point.  But I do not believe that SIM is dead. 

So I stand by that assertion that a common reporting standard for security appliances is a good thing, though I agree with Mike that it will be years before this has any real benefit because of the delay of vendors to move on such things.  I also agree with Mike that SIM does not meet expectations right now.  Vendors very clearly point out what their product will do and then steer away from those security appliances and products that it will not support, so the ol’ bull shitake meter definitely hits the high scale when they try to push something on me.  But I don’t think it is a lost cause necessarily.

Here’s a quote from Mike about SIM:

It’s all about being able to 1) prioritize efforts and remediate faster, and 2) crank out a report to keep the auditor happy. 

The point is that if we can get a common standard, number one can be met.  Should we just throw out SIM if there is a possibility of having a standard that may give us what we are asking of SIM now?  No, I don’t think so.  There can be some value now if, again, you implement well.  But the problem here is what Mike says about the timing and when we would see value.  So if you do not have a SIM yet, I would say do a LOT of research before getting one, and I would possibly recommend against it at this time (and with the advent of UTM’s, you may not need to get one if you go that route).

On point two, I think Mike’s really big analyst’s hat is getting in the way.  He is forgetting about us little people!  Auditing is a REALITY that I and my fellow security managers have to deal with.  I am all about securing my network and getting everything else out of my way.  If I can satisfy and auditor and get him out of my hair by producing a report from a SIM, I am damn sure going to do it.  If a SIM makes ‘em happy, then I will spend the money.  That is value to me right there!  That may not sound fiscally responsible, but the less I have to answer questions from some dude who is reading off of a script, the more time I have to actually do my job.

So overall, I disagree with Mike that the common format is not a good thing.  I think Mike is trying to throw out SIM when there is a possibility of it actually giving a lot of value later down the road.  But if you do not have SIM now, take a long, hard look before buying.

Vet

Posted by Michael Farnum on Friday, August 25th, 2006


  • « Reporting standard for SIM needs to be adopted
    Some of the reasons I write a security blog »
    • Creative Commons License
    An Information Security Place is licensed under a Creative Commons Attribution-Noncommercial 3.0 Unported License.
    Powered by Wordpress and Blog Pixel Theme