The key tasks of security information management (SIM) and security event management (SEM) systems are to gather data; normalize data; correlate events (eliminate duplicates and check for patterns); respond appropriately; and learn. These systems must also contain the ability to review security events generated by disparate devices; allow correlation of those events with business criticality ratings and external threats; present the information on a dashboard that allows real-time analysis, prioritization and risk reporting; enable policy and regulatory compliance; and improve management of security resources.
It turns out that there are several things that can make a SIM/SEM offering unique. The first, is the ease with which the product can be deployed and used. On the surface, these products are very straightforward to implement.
Another differentiator is price. Some of the software products are priced deceptively low; "deceptively," because you need to take into account the cost of hardware, which can include multiple platforms, an external database if the product does not accept a free one such as MySQL, and the expense of deployment resources.
A final differentiator is performance. We found that while the appliances gave us a lot of good information, the software products were a lot more versatile. That flexibility comes with a downside, of course. They are more laborious to implement than the appliances.
Product: TriGeo SIM
Vendor: TriGeo Network Security
Verdict: One of the few products we've tested over the years that actually lives up to its hype. Website: www.trigeo.com
Vendor: High Tower Software
Verdict: A top drawer SEM product. It is powerful, flexible and packed with features.