GCN Hot Topics:

RFP checklist: Security information management

By David Essex, Special to GCN

Looking to deploy a security information management solution? Before sending out an RFP or RFI, experts say you should consider the following:

Begin with the end in mind. Ask yourself what you want to achieve with a SIM system, regardless of how you get there. Pay special attention to the workflow between your security and operations teams, and the reporting requirements of federal regulators such as the Homeland Security Department’s US-CERT. Business process, not network architecture, is what really drives a SIM system.

Outline the additional, survivable storage infrastructure that may be needed to keep SIM data not only available to security analysts but archived for compliance. You might need to design a storage hierarchy and buy new RAID devices, storage area networks and appliances to ensure SIM data is available for a multitude of security and compliance purposes, but at a cost that doesn’t break the budget.

Ask vendors how their products employ caching, failover and redundancy in order to respond to a database crash. Don’t overbuy if your needs are modest enough to be served by an affordable appliance that doesn’t have failover features.

Choose your database wisely. Most vendors offer so-called open-standards databases such as Oracle, but may keep their programming hooks private. Some claim their proprietary databases have performance and analytical advantages over more generic relational databases.

Make sure the SIM product can collect all your relevant data, not just from intrusion detection systems, firewalls and other security devices, but also from operating systems and both custom and commercial applications. If there’s no prebuilt connector for a data source, take a look at the vendor’s integration wizards and support services.

Ask the vendor how easy it is to customize the tool’s correlation rules to suit your unique environment.

Scrutinize scalability. Besides handling your current load of security events (probably a bytes- or events-per-second number that you already know), SIM solutions should scale up and out to meet your anticipated growth.

Ask vendors to explain the assumptions behind their performance metrics, which can vary. Rule of thumb: The more devices to monitor, the heavier the data load. But be aware that once chosen, the vendor will work closely with your agency to get a handle on your environment.

Look for a healthy complement of canned report formats for key compliance regulations, especially FISMA, GLBA and HIPAA.

Watch out for version dissonance between your security devices and the SIM product. If you’ve recently upgraded an IDS, for example, make sure the vendor supports it or has plans for doing so.