"Security information management does not audit activity," explains John Hawley, director of product management, Security Information Management, at CA. "Instead, it collects the audit output from a company"s operating systems, applications and security devices and puts it in a common form for analysis, correlation, incident response and reporting.

"SIM involves more than just security. It ties into the IT infrastructure and is based on business practices. It also complements identity and access management [IAM] systems by identifying user accounts or identities that are added or modified manually outside the IAM process. If a suspicious account is identified, SIM can quickly provide an audit trail of what was done with the account and what data the user accessed."

A key benefit of SIM, according to Hawley, is that it stores all the audit logs in a central, secure database. As a result, even if a machine is compromised, an attacker will be unable to remove his or her tracks.

Compliance Drives the Market

The ability to provide good data management is essential because compliance mandates such as the Sarbanes-Oxley (SOX) Act and the Health Insurance Portability and Accountability Act (HIPAA) require that critical logs be accessible — and kept securely — for years. In fact, the adoption of SIM has grown significantly with the rise of compliance mandates. "Compliance is what"s driving the market for audit logs these days," Hawley says.

And it"s not just large corporations that are affected by these mandates. For example, all healthcare organizations must adhere to HIPAA regulations, and all organizations that process credit card transactions are affected by the Payment Card Industry Data Security Standard (PCI DSS), a set of requirements designed to enhance the security of payment account data.

One of the PCI DSS requirements states that organizations processing credit card transactions cannot use vendor-supplied defaults for system passwords and other security parameters. SIM helps meet this requirement by collecting login events from the environment and reporting on the use of accounts such as Administrator, SA, Guest and Root, which provide elevated privileges that a hacker might exploit.

Though large enterprises often build comprehensive security operations, many organizations don"t need all the capabilities provided by a traditional SIM. These small and midsize companies can start with a sub-set of SIM known as log management, which provides the reporting necessary to satisfy compliance requirements and pass security audits without the complexity of a correlation engine and incident management.

"There is huge business demand created by enterprises that need to pass a security audit — and, often, they need to do it quickly," Hawley says. "These organizations can start with a log management system and add other security components, such as a correlation engine, later."

SIM Best Practices

When it"s time to consider implementing a SIM system, there are some best practices to guide companies. According to Hawley, they include the following: