One CIP rule requires retaining logs for considerable time. And In general, it's necessary to be able to send out alerts related to failed long-in attempts. As part of this regulatory requirement, "NERC sends out teams to audit -- they pick a random date and say, "I want to see the logs,'" Moser says, noting NERC wants to know how the power plant detect and respond to anomalies.
Salt River Project narrowed down its search related to SIEM and log-management gear to vendors that include RSA with its enVision product, Splunk, LogLogic, ArcSight and Q1 Labs. After a production-level test period, Q1 Labs was selected since it "did a good job" in holding down the number of false positives. "There's not a lot of bogus stuff," Moser says.
Today, the Q1 Labs' QRadar can take feeds from a variety of IDS/IPS, firewalls, routers, switches, Web proxies, and Windows and AIX servers, with Salt River Project is expanding use of SIEM with monitoring application-system logs.
QRadar has been helpful in many trouble-shooting scenarios, Moser says, noting "if a cluster fails over, and the primary is down, it sends an alert." But he adds takes some work to set up a SIEM like QRadar to get the most from it. "If you want to get value out of it, it's time-consuming."
Read more about security in Network World's Security section.