Symantec Security Information Manager by Security | Paul Agbabian

Overview

Symantec Security Information Manager (SSIM) enables IT organizations to identify, prioritize, investigate, and respond to security threats that impact missioncritical business applications. It serves as a log consolidation system for identity management monitoring, compliance, and forensics requirements. Realtime correlation of network and host security breaches with Symantec's trusted global security threat intelligence makes SSIM the vehicle for a world class incident response system ensuring the integrity of business critical information assets.

SSIM ensures the integrity and security of information assets by delivering the following capabilities:

* Captures, filters, normalizes, and reports on security and availability events from a myriad of Symantec and leading 3 rd party host and network products (event logs, antivirus, firewall, intrusion detection/prevention, vulnerability management, policy compliance, backup, etc.), and custom data sources, enabling IT to identify critical breaches in a heterogeneous or complex network environments.
* Centralizes log management for compliance and forensics requirements, retaining normalized and raw event information in online, searchable compressed format that is easy to manage and inexpensive to maintain for very long periods of time.
* Queries, plays back, and reports on arbitrary histories of identity and user activity, host, IP address, or any other normalized event field.
* Correlates security events, in realtime, using a highspeed patent pending multistage pattern based engine, helping IT to reduce events and logs into prioritized incidents and focus on solving the most serious problems first.
* Implements a patent pending multistage normalization and classification service.
* Tracks security incidents and related response activities throughout their lifecycle from ticket creation to closure, helping IT to quickly and effectively remediate problems.
* Integrates into the enterprise infrastructure including existing management and ticketing systems so that IT can leverage their legacy investments and processes by way of industry standard web service interfaces.
* Reports on compliance and security incident metrics enabling businesses to visualize and refine the effectiveness of their security processes and posture.
* Scales via a distributed architecture for simple to complex configurations with a single point of administration.
* Delivers bestinclass functionality packaged as a highperformance appliance that is easy to deploy, use and manage for lowered cost of solution and cost of ownership.

Architecture

The SSIM system is packaged as an appliance and is built on Symantec's standardsbased enterprise security architecture. The architecture and its services form a directory enabled distributed system whose administration model is based on the DMTF Common Information Model (CIM), and its CIMLDAP mappings.

Event services provide SSIM its underlying event schema, event collection, forwarding and routing channels, detailed event storage, event level access control, preferred language event display, and query services. The event service uses the CIMXML protocol, as well as a highly efficient compressed CIMXDR binary protocol, over HTTPS. SSIM adds a custom event service router to feed events to its correlation engine in near real time.

A extensible event collection framework and collector studio enables collection of log data and realtime events using a variety of sensor types including file, syslog, Windows event log, database, SNMP, and popular vendor specific sources.

Alerting and notification services provide multiple channels of communication to users and service desk systems based on rules and schedules. Service desk channels are bidirectional.

Directory services provide authentication, user white pages, rolesbased access control, service access point location, and multidomain organizational management for a trusted federation of multiple systems with single signon capabilities. Delegation of authority and complex segregation of duties is customizable by product, task, organizational unit, groups of users, rules, queries, reports as well as entire administrative domains for regional or SOC management.

Policy configuration services provide centralized configuration of a large number of SSIM systems and collectors.

Failover of SSIM services, event data stores, and directory services enable a high availability enterprise class system. A statistics service monitors the health and liveness of system infrastructure components, and monitors event and rule processing in real time.


Article Source : www.symantec.com