Security Event Management Gets Specialized 2

WHERE DO I PUT THIS THING?

A SEM system is a serious architectural commitment, and one that will likely leach itself into various areas of your network. That's because a SEM system is only as valuable as the data it gathers and you feed into it. Thus a full-blown SEM deployment will have components liberally sprinkled throughout your network.

Although the details vary for specific SEM products, the general deployment principles are the same. At the heart of SEM is the analysis center, a database-driven system that generates alerts based on both canned and user-defined rules and lets operators run queries against its storehouse of information.

You can choose between appliances and software for your analysis center, with the requisite trade-offs of each. Appliances are generally easier to deploy, but you will be limited to the processing power and database capacity of the manufacturer. A software solution lets you size your analysis center accordingly, but you're also stuck licensing an OS (and possibly a database application), stripping out unnecessary functions, and keeping all components patched and updated.

The analysis center gathers information from several sources. In some cases, it will receive raw log data directly from other devices, such as firewalls. In other cases, you can deploy intermediary collection devices (again, either appliances or software-based solutions) to gather event data and pass it on to the analysis center. These collectors may passively accept data, or be configured to poll devices such as servers at regular intervals to download logs and events. As an added benefit, they can often do basic correlation and aggregation, weeding out duplicate or insignificant events and delivering normalized information to the analysis center for faster processing.

Collection devices have a limited number of events per second they can handle (vendor claims range from 2,000 per second to 10,000), so architects with very large networks or numerous branch offices will likely need to deploy multiple devices to manage the data load. As mentioned earlier, software-based collection devices will require additional management.

Some SEM systems may require deploying agents directly on machines. SEM vendors know that architects grimace at the word "agents" and tend to downplay their reliance on them, but agents are often a necessary component of a robust SEM system.

For SEM products that collect flow data such as NetFlow, JFlow, and sFlow or perform passive vulnerability assessment (discussed later), collection devices must be placed at switching junctions that afford the broadest possible scope of network traffic.

source : http://www.networkcomputing.com/showArticle.jhtml?articleID=172302124