How will the information be correlated?

All SIMs gather information from the sources within the network. Some will gather information from external sources as well, ranging from public threat identification services to proprietary correlation networks. Beyond eliminating the need for your security engineer to open 93 windows on his or her workstation just to keep up with log files, a SIM, to a great extent, adds value with its capability of finding patterns in network traffic. This activity requires two primary traits: the capability of gathering data from a various places and the intelligence to turn all that data into meaningful information. Both are critical. Just as the SIM must draw information from all of the important components of your network, the correlation data must come from sources you trust.

How are reports generated?

It's one thing to be notified that unauthorized activities are happening on the network. It's another thing entirely to convince less security-savvy network management to do anything about it. You want your SIM to be capable of generating reports to support your call for action -- and to generate them quickly. If the product comes with prepackaged reports that you can modify to provide the information specific to your organization and incident, then you're way ahead of the game.

Prepackaged reports are critically important time-savers when it comes to regulatory-compliance audits. If you know the format your auditing agency requires, then by all means ask whether those reports are included with your candidate SIM. Regulatory compliance audit reports could, by themselves, justify the purchase of a SIM system.

How can you look at highlighted incidents?

Reports are important in many situations, but for day-to-day security analysis, you'll spend much more time interacting with a security dashboard. A clean, well-organized dashboard and the ability to drill into reported incidents by time, severity, and type will mean the difference between productivity and frustration. How easily can you highlight a particular time period and analyze traffic by the criteria that you specify? How easy does the correlation engine within the client make it to look for patterns within a specified time? Is it effortless or difficult to look at traffic or interactions between specific addresses or types of clients?

With just about any product, you'll want a dashboard that has an initial set of analysis screens that get you started in a meaningful way. You'll also want something with easily customized screens and automated analysis runs to meet your needs.

How can you share information with other applications?

A SIMs is, without question, a powerful part of a security infrastructure, but it can't do it alone. You'll need other hardware and software to deal with the incidents discovered by the SIM, and life will be easier if the SIM itself can handle some of the interaction with those other pieces of infrastructure. As you're looking at SIMs, think about how you want the humans in the security hierarchy to work with the automated systems. Do you want the systems to take care of as much as possible, then notify staff as to what has been done? Or do you want the humans to keep their hands on the controls while the systems provide intelligent help?

Some SIMs will work in either of these ways -- or in both, as you begin with humans in control and gradually give more authority to the system as you gain confidence in its capabilities. Ask the vendors about which model they follow so that you can zero in on those that match your deployment expectations.

How easy is the SIM to install and configure?

This is the big wild card. As with virtually any category of hardware or software, there are products that are relatively easy to install, and there are some that will occupy your every waking moment for far too long. In most cases, deploying a SIM will break down into two lengthy tasks: arranging for the SIM to gather information from the network, and arranging for you to glean information from the SIM.