Ciscoworks Security Information Management Solution (SIMS)
Data becomes valuable information when it can be easily understood and acted upon. Security event information is no different. In order to help users identify threats and respond to them faster, Security Information-Management (SIM) solutions must provide a range of information views to help security analysts identify threats and understand their full impact so complete mitigation can occur. Therefore, analysts must have advanced visual tools that provide high-level views of network activity based on their own reporting parameters, while allowing them to dynamically drill down to identify specific areas of vulnerability across the network.
The CiscoWorks Security Information Management Solution (SIMS) from Cisco Systems® provides dynamic, high-level views of security information, in addition to real-time monitoring, reporting, charting, analytics, monitoring, and real-time alerting functions. This powerful combination allows security personnel to navigate through the glut of real-time and historical security information with ease to reduce response times, distinguish false positives from credible threats, and better manage risk.
THE CHALLENGE: INFORMATION OVERLOAD
The first generation of CiscoWorks SIMS was a major step forward in creating a unified environment for managing disparate security event data from a wide range of network and security devices. Consolidating the information and providing some level of reporting against it enabled security organizations to begin to rationalize and control the large volume of security events in their enterprise.
However, these solutions did not do enough to provide insight into the events to help analysts assimilate the information quickly. As correlation capabilities improved, so did event prioritization and notification-but the ability for users to comprehend the large volume of data quickly did not. Second-generation SIM tools continued to rely mainly on two limited methods of presenting information-the event console and tabular reports-with some basic charting capabilities added.
Event consoles do very little to help users keep up with information. The stream of real-time events across a large enterprise is overwhelming, even with color coding to indicate prioritization. Although the emergence of dashboard views has obviated this problem to some extent, very few enterprises can afford to keep a dashboard staffed constantly, and although dashboards are helpful in alerting analysts to the presence of a potential problem, they are not as useful when it comes to pinpointing specific problems.
Tabular reports provide an increased level of insight over the console by letting the user organize data in specific ways, but as anyone who has looked for information on a spreadsheet can attest-spreadsheets are extremely granular, and identifying relationships on a macro level and then exploring them is difficult.
THREAT VISUALIZATION AND NEXT-GENERATION SIM
Advanced threat visualization has greatly increased the value of information captured by SIM solutions, and is critical to maximizing the performance of the security organization. By providing drillable, high-level views of threat activity across an extended enterprise and its physical network and improved charting capabilities based on special analytics, a SIM solution can transform the way security teams work.
CiscoWorks SIMS allows companies to use new visual tools on top of tabular reports and sophisticated analytics to assimilate information faster, differentiate false positives from real threats, understand the exact nature and scope of a threat, and make sure that vulnerabilities are mitigated before a threat can proliferate. CiscoWorks SIMS delivers a comprehensive range of visual tools to help security analysts work the way they think.
CiscoWorks SIMS provides the following threat visualization capabilities to help security practitioners rationalize the large number of security events created in today's business climate.
• The Link Map feature allows analysts to visualize relationships among different assets under attack to identify the target, type, and method of attack. Analysts can immediately see the course of an attack in real time as it propagates across a network. Playback controls allow users to recreate the attack so they can determine the full extent of vulnerabilities and anticipate where an attack is heading. Analysts can drill down on a specific asset at any time to get more specific information (Figure 1).
Figure 1. Link Map
• The Geo Map allows analysts and operators to track events by country and city, flag suspicious traffic from specific countries, and pinpoint suspicious sources down to a specific longitude and latitude (Figure 2).
Figure 2. Geo Map
• Expanded charting capabilities give users more visual references that are easy to understand. Users now have a wider range of custom charting options to help identify threats and present summary views of data to management. User can drill down the graph detail and links for further detail exploration.
• The device status view gives analysts a real-time visibility into the status of devices across the network, making device count charts easier to view and analyze. The device status view also helps enable centralized configuration of devices (Figure 3).
Figure 3. New Chart View
FULLY INTEGRATED ANALYTICS AND REPORTING DELIVERS POWERFUL INSIGHT
CiscoWorks SIMS contains powerful next-generation reporting and analytics. Flexible reporting capabilities provide an excellent starting point for further analysis using analytics and visual tools. Integrated analytics give users comprehensive security information using multiple dimensions of data in a pivot table format. The results are also presented visually in charts that accompany the dataset. CiscoWorks SIMS provides the following reporting and analytic features to complement data visualization:
• Analytics make base reporting data valuable by allowing users to perform further specific analysis.
• Data-mining functions let security personnel analyze raw event data based on specific criteria to identify anomalous incidents. As a result, security analysts can pinpoint details that were previously undetectable.
• Analysts gain detailed views of specific actions over any given time period.
• Reporting functions allow users to easily integrate real-time and historical information to spot emerging trends, while enabling users to reuse the same dataset across all views.
• Support for custom report development allows security teams to generate reports on the information most vital to their organization.