NitroView ESM/ELM 4000
Strengths: Classy management interface, real-time data analysis, in-context views, event correlation policies, unlimited log sources, compliancy reports
Weaknesses: No local storage for raw log data, basic notifications, policy creation can be complex
Verdict: A complete log data management solution offering in-depth, real-time data analysis
NitroSecurity's NitroView ESM/ELM 4000 provides an all-in-one solution for collecting, analysing and correlating all log data and events for regulatory compliance.
A key feature is NitroSecurity's proprietary database, which provides high-performance data analysis and is much faster than SQL-based SIEM products. For the 4000 appliance, it can store one billion rows, and its data aggregation feature reduces the need to share duplicate records.
The 4000 appliance is a well-specified, if somewhat noisy, 1U Supermicro rack server, and combines the NitroView ESM (Enterprise Security Manager), ELM (Enterprise Log Manager) and Receiver components. The 4000 doesn't provide local storage for raw log data, so you need to set aside your own external storage, which can be a network share or, with an optional adapter card, an FC SAN. It can handle 1,000 events per second, and it's worth noting that not only can it take data from any log source but, unlike with vendors such as LogLogic, there are no licence restrictions on the number of sources supported.
Compliancy reporting for all key regulations, such as PCI-DSS, HIPPA, SoX and FISMA, are included as standard. The product also supports the optional NitroView ADM (Application Data Monitor), DBM (Database Monitor) and IPS appliances.
We assigned fixed IP addresses to the 4000 from its front panel. Then it was over to the ESM's secure web interface, which we found very well designed. NitroSecurity has eschewed Java in favour of Flash, saying it's faster and more easily customised using drag and drop.
All devices are displayed in the left pane, to which you add your log data sources. The process isn't as smart as LogLogic's auto device identification, as it's mainly a manual process, but large numbers of devices can be imported using a CSV file. SNMP and WMI data can be retrieved from Windows systems, but an agent can also be manually deployed to pull in event log data. This uses encrypted links with the appliance.
The NitroView interface provides a drop-down menu for accessing an extensive range of views. These make the log data very accessible, as you can quickly pull up views on events, flows, specific areas of compliancy, executive reports and so on. Views can be customised by selecting from a range of charts, graphs and tables and choosing what to associate with them. We also found the in-context navigation useful, as you can choose any device in the left pane and the view is updated to show its specific details.
Graphs can be linked, and selecting a detail in one of the views will cause all the associated graphs and tables to change. Filters can be added to refine the information shown, and each view within the main pane has a quick-access menu for more information.
NitroView alerted us to some dubious login activity on our network, so we could select the alert type and see all the events under this category. We picked the one of interest and could see all details about the system causing the events, view the session data and packet information, and see which policy rule caused the alert.
The appliance immediately starts base-lining the network, and when it has a good idea of normal network behaviour, it can use its policies and rules to alert you to odd activity or security threats. Policies determine the behaviour of the appliance and you get a comprehensive predefined policy out of the box. This is fortunate as policy creation can get complex due to the number of choices, and we found we could wait up to a minute for the policy editor to load all the standard deep packet inspection rules ready for selection.
Correlation policies are used to link together groups of events that may represent unusual data-flow patterns. An editor makes light work of policy creation as you use drag and drop to add components which include AND, OR and SET logic elements, filters, data sources, destinations and time periods.
Predefined correlation policies include those that look out for security issues such as scans, worm activity, SQL injection attacks and login problems. However, notification choices are basic as NitroView can only log to file and send an SNMP trap, syslog event or email, although the next version should add features such as SMS and ticket generation.
Reporting facilities are excellent and include a range of executive summaries and options for all compliancy regulations. Custom reports can be created easily and run regularly, manually or when the baseline threshold is exceeded. Report layouts can also be viewed and new ones created easily.
The 4000 delivers a complete log data management solution that performs extremely well. The inclusion of compliancy reporting adds value, but what really makes it stand out is the highly versatile NitroView console interface.