Not only did the up-front costs of doing it in-house seem high -- SIM equipment can easily reach into the half-million dollar range -- but also Fuddruckers realized it would have to hire SIM experts to make it all work.
Largely based on information gleaned from conversations with peers, just over a year ago Pumphrey decided to try SIM as a managed service, selecting Trustwave to monitor about 500 log files at least once daily on behalf of Fuddruckers, triggering an alarm if suspicious events arise.
"Trustwave has a box we put in here," Pumphrey says, and logs are centralized and sent to Trustwave's data center via secure connections. Fuddruckers had to ensure its restaurants have sufficient bandwidth to support SIM as a service. But so far, it's worked well for PCI compliance purposes -- with Fuddruckers assuming a monthly cost based on numbers of software agents deployed as collectors.
"We see ourselves as a managed alternative to what customers might want to do themselves with ArcSight or Q1 Labs," says Dan Schleifer, senior product manager for managed security services at Trustwave, referring to two well-known SIM product vendors.
But Trustwave has essentially written its own SIM code, offering three basic tiers of service: a hosted SIM with automated alerting and processing; a daily analysis of what happened that day, with written reports; and real-time analysis of events, with "eyes on the screen."
Schleifer says for two years, SIM-as-a-service was merely a small "pocket area" for Trustwave, but is now "its fastest-growing managed service." One main driver is certainly rule No.10 in the PCI Data Security Standard, which requires not only log collection but also "a minimum once a day, you review those logs," he points out.
Some SIM managed service providers build their offerings based on SIM products from equipment vendors. That's the approach that service provider FishNet is taking, according to CEO Gary Fish.
"The service is built around the RSA EnVision and Q1 Labs," says Fish. The customer typically pays about $220,000 per year, largely based on the numbers of events recorded per second, though there may be other fees, too.
SIM-as-a-service is still a very small part of what FishNet does, but half a dozen customers, including St. Louis-based Arch Coal, the second largest U.S. coal producer, have signed up for SIM as a managed service. Tom Turner, vice president of marketing and sales at Q1 Labs, says it's comfortable partnering with a managed service provider such as FishNet, viewing the relationship "as potentially offering us a broader market."
SecureWorks is regarded by Gartner as a "pure play" SIM managed service provider, as opposed to a global service provider that offers SIM among a wider menu of services. The security firm is a veteran in the business, having started about a decade ago.