Symantec Security Information Manager(SSIM):
I am keeping in mind the- beginner security admin, auditors, IT Gov staff of an organizations- that may evaluate and implement SSIM. I will try and keep this as simple as possible. This note is just to develop an initial understanding.
What SSIM is Capable of Doing:
SSIM is centralized log management, which manages and correlates logs of many systems (OS, DB, Security devices etc). For example- if there are 30 systems (let's assume all Windows 2003 OS for simplicity) that are integrated with SSIM, then logs of all 30 systems will go to SSIM. Correlator component of SSIM will correlate the logs and generate security risk incident, if any, based on that.
Let's understand this with respect to password guessing attack done on a server OS. So, in absence of SSIM, all unsuccessful attempt of login will be captured in logs but there won't be any alarm generated. At maximum, account will be locked out, which will be unlocked after some time. When SSIM is implemented, a rule can be made, where if there are 5 unsuccessful attempt of login done in an interval of say 300 seconds, then raise an incident of password guessing attack. SSIM receives the same logs which are available on the server, but SSIM is able to correlate the logs of the server and raise an incident, if there is security risk. Now, if there are 5 unsuccessful login attempt on the server within 300 seconds, then password guessing attack rule will get triggered and security risk incident will get generated in SSIM. Security admins who are monitoring SSIM, will come to know about the attack immediately.
Similarly, there can be malware attack which can be identified after correlating SEPM logs which will come to SSIM. Other rules could be internal port scan detection, scan followed by attack, Windows privileged activity etc. I am giving these rule name to provide a feel of what SSIM can do and prevent. Many such rules can be used.
Therefore, in nutshell, SSIM receives logs from all the systems(OS, DB, Firewall, SEPM etc) integrated with SSIM and correlates the logs to identify a security risk, then security risk incident is generated.
Another benefit of implementing SSIM is that, we can query SSIM for many different types of customized reports. For example, if AD domain controller logs are going to SSIM, then a query can be run to fetch a report of a domain user's sign-in and sign-out time over a period of time, say 1 month.
Now the next question is- how this can be achieved? What are the components involved? Let's see.
Components of SSIM:
SSIM has following components:
1. One or more collectors servers and agents
4. Service Provider
There are 100s of types of collector agent. For example, collector agent of Win2k3, collector agent for Checkpoint firewall, collector agent for SEPM are just to name a few. Almost all popular products across all vendors have SSIM collector agents available. Collectors agents may or may not require some nominal rights on the server. Collector agents can reside on the server(onbox) or work from other server(offbox) also. These agents send logs to collector server.
Once logs are collected, these are sent to achiever for raw storage. Achiever requires to have huge internal disc or required to have SAN mounted. Amount of storage depends on number of servers/devices integrated.
Correlator does the intelligent work of correlating the logs and generating the incident based on the rule defined.
Service Provider is the interface for the SSIM monitoring team. All user connects to service provider to see SSIM console. SSIM client is required to be installed on desktop/laptor for connecting to SSIM consloe. There are many different types of privileges that can be assigned to different kind of users, as per their role.
So, once all the servers and devices, or at least the critical ones which are under the scope of audit (internal or external) are integrated, then SSIM becomes the single point of information for all audit related queries where logs are required to be looked into.
SSIM is not a software which can run on any platform. It is an appliance based solution offered by Symantec, which runs on a customized Linux platform.
Post SSIM Implementation Process:
To monitor the security incidents, there should be 24x7 security team. This team should look at the security risk incidents and do the preliminary analysis. Based on the severity of incident, it should be properly raised and remedial action should be taken.
SSIM is a very robust and stable solution.
For more details:
SSIM is capable of doing much more. It is a very large security application and a must have for all security risk sensitive organization. This category of products are also called as Security Information and Event management (SIEM)