A Special Analysis for Dark Reading

Information overload is one of information security professionals' biggest enemies: The job of sorting through and making sense of event data, and then acting on it in a timely manner, is crucial. A lack of proper tools to manage that information can leave you floundering in mountains of data -- unable to protect your sensitive IT resources.

A slew of commercial security information management (SIM) tools are available that pinpoint events, systems, or areas of concern, and provide you with actionable data. But these tools often come with a hefty price tag, just as shrinking and nearly nonexistent budgets are leaving infosec pros looking for alternatives to expensive commercial solutions. Fortunately, there are several free and low-cost solutions -- from basic event correlation to complex asset management, monitoring, and event correlation -- to consider.

SIM, which also comes in the form of security event management (SEM) and security information and event management (SIEM), can keep track of systems on a network and vulnerability-scan data for those systems and events from an intrusion detection system (IDS) like Snort, for example. So if a Conficker-infected host gets introduced into the network, the SIM could correlate the IDS events with identified vulnerabilities, and point first responders to the systems that are most likely to be infected.

Keep in mind, free SIM options still require time to learn, configure, and tune. The same holds true for commercial solutions, but the current free and open source solutions suffer from a lack of documentation, making the initial setup and configuration a much more difficult process. However, several of the free solutions -- such as OSSIM and Prelude -- are backed by companies that can be contracted for support.

The first level of open source SIM-like solutions are basic event correlation tools; they include the Simple Event Correlator (SEC) and OSSEC HIDS. SEC is relatively bare-bones compared to the other tools, but it has a powerful correlation rule engine that allows it to monitor many different types of logs and identify events of interest. For example, it can identify a compromised user account in which a brute-force attack was first seen after a successful logon. (We'll look at OSSEC later in conjunction with another tool).

The next grouping of solutions are quite capable, and can be classified as true SIMs, but as mentioned before, documentation can be difficult to find and often equates to searching the Internet. OSSIM and PreludeIDS Technologies' Universal SIM are the premiere free, open source SIM solutions that include event collection, normalization, correlation, visualization, alerting, and much more.

Both OSSIM and Prelude are backed by companies that can provide support, and PreludeIDS also has commercial add-ons, such as a more advanced Web interface, data import for Nessus and IDMEF, enhanced database speed plug-in, and e-mail reporting. Each one has the support of approximately 50 different log sources, Web interfaces, and correlation engines.

The major differences between the two is that with OSSIM, you get all of the features "out of the box" without having to pay for additional add-ons. OSSIM is also very easy to install, thanks to an installer CD published by AlienVault. When the CD installation is complete, you have everything you need to start monitoring network traffic with Snort and Ntop -- scanning the network for hosts and inserting that information directly into the asset management system and more.

Two commercial vendors have released free versions of their SIM products for use with special restrictions. The first is Q1 Labs , which has created a VMware virtual appliance called QRadar SLIM FE. It can collect and correlate events from different devices in your network as long as those events are generated by syslog and do not exceed 50 events per second. Even with these limitations, though, it can give you an idea of what's available and prove to be a valuable proof-of-concept later for management when trying to acquire funding for a SIM.

The other freebie is Splunk, which is not what one might consider a traditional SIM because it doesn't normalize log data or have internal correlation rules. But paired with other tools, it can become a very powerful way to manage security information and detect events of interest. Splunk is often called the Google of logs, and many free Splunk Apps (add-ons for reporting, saved searches, alerts, and dashboards) have been created to extend Splunk in a way for it to be used as more than just a search engine.

The free version of Splunk can index up to 500 MB of logs per day, and can be paired with apps like Splunk for OSSEC and Splunk for Network Security. As mentioned earlier, OSSEC is an event-collection and correlation tool, but it does more, including file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response. As of version 1.06, events from OSSEC can be forwarded via a syslog server, such as the one included with Splunk. For more information, see the "Splunk + OSSEC Integration" article.

It doesn't matter whether your intentions are simply to explore if a free SIM is right for you, or to develop a proof-of-concept to get funding approval for a commercial solution: Free SIM alternatives are out there that are powerful and worth the time to consider.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.