Price: $126,900 for 7550-HA for medium to large enterprises
System logs contain a treasure trove of valuable security information: In fact, there's so much information that a large organization would need a whole team dedicated solely to reading and analyzing logs. Early security information managers (SIMs) still required a large commitment of human resources and were burdened by hard-to-configure data collection.
However, SIM products such as Network Intelligence's enVision have matured into powerful, manageable tools that analyze all this data to deliver relevant and usable security information.
With the help of the onsite engineers that are provided during a normal install, we had the enVision (the 7550-HA model for medium to large enterprises) system running and collecting data in a few hours. The hardware itself is quite powerful, capable of collecting more than 7,500 events per second. This speed is helped by the use of a unique data storage system; instead of a typical relational database, enVision's proprietary LogSmart IPDB stores all log files in native format, generates metadata to speed retrieval and compresses logs to increase available storage space.
A single Web-based management interface provides access to the dashboard as well as reporting and device configuration.
Logs are received primarily through syslog, although other methods are supported for a number of devices and software, including Check Point Software Technologies and Cisco System products. A script on host devices converts other log formats to syslog, and you can also import vulnerability data. Setting up an event source can take a little work on the log-generating device and pointing the syslog function to the appliance.
We ran several log-based data feeds into enVision, running it for several weeks to create a baseline, then dove into the interface, which gives you numerous ways to show and analyze data. The real-time configurable dashboard shows a highly customizable view of your current network activity at a glance, such as events within the last few hours, bandwidth usage and recent alerts.
Highly configurable alerting allows you to set up correlated alerts based on trigger conditions, including time parameters such as "a user has five failed authentications in 30 seconds." Powerful and flexible custom correlation rules are easy to create, using different sources, including host, network, security and storage devices, allowing you to tailor alerts for your environment.
Views can be configured to contain any number of devices. Watching these configurable views, we were able to see just where in network alerts occurred without having to actually look into the logs.
Reports can be generated to show any fields of data that are present in the collected logs. While setting up and generating custom reports in this manner can be time-consuming, basic templates can facilitate the task and may be sufficient for some organizations. In addition, Network Intelligence packages several useful regulatory compliance reporting templates, such as HIPAA, Sarbanes-Oxley and PCI, in the product.
Typical reports include top infected systems (from McAfee, Symantec or Trend Micro); firewall information data (bandwidth, denied hosts per hour, denied outbound traffic) and Windows reports (shutdown/restarts, file access, application errors, policy changes).
enVision offers excellent value, especially for a growing company expecting greater performance requirements in the future. It's highly configurable, though typically that means you have to put a lot into it to get the most out of it.
We fed enVision Windows event logs (from a domain controller), as well as Linux system logs and Oracle data, running it for several weeks to create a baseline.
*EMC announced in September 2006 that it is planning to acquire Network Intelligence.
This product review originally appeared in the November 2006 edition of Information Security magazine.