There was a time when cutting-edge network security meant a firewall on your perimeter and anti-virus software on the desktop. No longer. With the advent of polymorphic Internet worms, application-layer attacks, Trojan horses, adware, spyware, and wireless hacks, the network security picture is more complicated than ever.
The multifaceted threatscape, coupled with a raft of new federal data security regulations, has driven network administrators to devote more rack space and money to security point products such as IDSes, IPSes, vulnerability scanning tools, application-layer firewalls, gateway anti-virus and anti-spam products, and identity and access management tools.
To bring order to the chaos of point products, some companies have begun offering SEM (security event management) or SIM (security incident management) technology. Originally intended to manage the glut of alerts and advisories spit out by IDSes and firewalls, SEM/SIM products are evolving into complex system management tools that monitor a wide range of products and supervise everything from vulnerability information to attack management and patching.
"Sign me up," you say? Not so fast, caution security-industry analysts and experts. Security management products are still in their infancy, and the bromide they offer isn't for everyone. Moreover, big changes may be in the works as more and more security products move to standards-based platforms. That means enterprises that think they need security management technology in-house may end up taking a costly detour if they don't already have a firm grasp of their IT security needs.
Security data glut
It's difficult to find an IT security expert who doesn't espouse the need for security management tools. "People are being buried by data," says Lance Braunstein, executive director at Morgan Stanley. "You've got this bucket of firewall logs, router logs, IDS logs -- megabytes of data a minute."
Managing that data is a pressing issue for network and system administrators, who are presented with unique challenges based on the size of their enterprises. "I can't think of any other application that requires me to look at gigabytes of data in real time," Braunstein says. The volume of data -- approximately 10MB per minute at Morgan Stanley -- makes any intelligent analysis harder, he adds.
SEM technology promises to tame that data by centralizing, correlating, and prioritizing log data from various devices, presenting it via sophisticated visualization features that make it easy for network admins to spot security vulnerabilities and evolving attacks.
Typically, SEM products work by gathering log data and logged events from the devices they support. The information is stored in files such as text-based system logs and SNMP traps, which are notifications generated by network devices of significant events, including startups, reboots, and authentication failures.
Because different products record logs and events in different ways, that information must be translated -- or normalized -- into a standard format used by the SEM device's correlation engine. Depending on the product being used, information capture and translation may be performed by a software client, or agent, residing on the monitored device or transmitted in raw format to a central collection point where it is normalized.
"You can have two different types of IDS products -- say Snort and Cisco. Both can detect a buffer overflow. But Snort might call it 'xyz,' whereas Cisco calls it 'wpq,' but it's the same attack," says Larry Lunetta, vice president of marketing at SEM vendor ArcSight Inc.
Surveying the threatscape
Companies such as ArcSight and netForensics Inc. offer hardware and software that connect the dots between different sets of security data, while supporting large deployments and sporting sophisticated security data capture, correlation, and visualization features.
netForensics' nFX product uses a network of collector devices spread throughout a company's enterprise to gather security data from devices, normalize the data, and aggregate events. It then forwards this information to a central correlation engine, where as many as 20,000 types of messages are boiled down to approximately 100 event types in nine event categories, says Patrick Guay, vice president of product management and marketing at netForensics.
Guay likens the company's architecture to a pyramid, with security devices making up the broad base. Information is passed up and refined at each stage until it is presented to operators at a SOC (secure operation center) or NOC (network operation center).
After data has been filtered, netForensics' visualization features display and highlight trends and events such as worm outbreaks -- showing which machines were infected and what other systems were infected as a result. That allows administrators to react more quickly than they could just by sifting through individual logs, cutting off access to infected systems, and applying patches where necessary.
ArcSight's product relies mostly on software "smart agents" to capture logged events and alerts from devices it manages by extracting detailed information from them, categorizing each event, and noting the source of the attack. That information is then encrypted and sent to the ArcSight Manager, a central server that stores the normalized data in an enterprise database and applies specific filters and correlation rules to the events.
As does netForensics' nFX, ArcSight normalizes security data -- boiling down diverse information into a common set of 200 fields -- and uses sophisticated graphics to display network status information on a console. Network administrators can link to data retrieved from other security systems such as network vulnerability scanners.
Big players move in
Computer Associates International Inc. and IBM Corp. have also invested heavily in SEM technology in recent years, expanding the reach of their respective Unicenter and Tivoli network management suites. These companies are adding value to existing capabilities -- including identity management, access management, configuration management, and user provisioning -- through integration with SEM components.
For example, IBM's Tivoli Risk Manager collects and filters information from more than 100 point security devices through standard SNMP or Web services events or through customized events created using tools provided by IBM, says Arvind Krishna, vice president of security and provisioning development at IBM Tivoli.
In addition, the company's Tivoli Security Compliance Manager automates software vulnerability scans on networks and compares the results of those scans to network security policies. Information collected from those products is then displayed, along with data from other network devices, on the Tivoli Enterprise Console.
Similarly, CA has been focusing development attention on its eTrust Security Command Center, which aggregates and correlates security data from other eTrust components, such as the eTrust Vulnerability Manager, or with third-party security products. The Command Center communicates directly with CA's Unicenter system management software, passing alerts and status information back and forth to an organization's network operations team, says Toby Weiss, CA's senior vice president of product management.
Due at the end of October, the new version of the Command Center will extend the reach of eTrust. It will add tighter integration with eTrust Network Forensics -- a CA product that allows organizations to capture all their network traffic for forensic analysis -- and eTrust 20/20, a product that integrates physical and IT security systems to correlate anomalous behavior.
The increasing interest in integrated SEM among security vendors of all sizes is just one symptom of a larger movement to combine a number of distinct but closely related security technologies -- such as patch management, vulnerability management, and incident management -- that have gained wide adoption in the enterprise in recent years.
The drive for greater integration also stems from a range of new federal and state regulations covering data integrity and privacy, such as Sarbanes-Oxley and California's SB1386. "You have a number of regulations that have emerged that say, 'You have to be looking for bad things in your environment, and when you notice them, you have to tell us about them and implement best practices,'" says John Summers, global director for managed security services at Unisys.
What's needed is a fusion between SEM or SIM products and data on asset criticality -- coupled with integrated functions such as identity and access management, user provisioning, change and configuration management, and software patch management.
A recent report by IDC called for a higher degree of integration between system and security management products, which would help centralize control over networks, require fewer IT staff members to manage, and allow administrators to better understand the relationship of security events to network availability, among other benefits.
Such a system could allow intelligence about a new security vulnerability that accompanies a software patch to be automatically linked to network policy management systems and be tested against existing ACLs (access control lists) used by firewalls and routers to thwart attacks, Morgan Stanley's Braunstein says. "Then all that information is logged, and you can do something intelligent with the logs. That's the real Holy Grail: a fully automated security lifecycle," he says.
Taking the long view
As it stands, products with that level of integration are three years to five years away. But companies are beginning to pull together some key pieces -- such as connecting the findings of vulnerability scans with security alerts and intelligence on software and hardware asset values -- so that companies can prioritize threats to critical systems.
"Say you have a system in an area sensitive to the Sarbanes-Oxley regulations, like a general ledger," ArcSight's Lunetta says. "If you're in the last two weeks of the quarter and (ArcSight's) analytics detects a highly threatening attack, it's going to recognize it as a high-priority event -- and also something associated with Sarbanes-Oxley -- and coach you to take steps to deal with it."
Lunetta calls that adding "business relevance" to SEM, a level of intelligence that a wide range of products now promise. ArcSight, netForensics, Network Intelligence Corp., and OpenService Inc. all offer SEM technology that performs asset correlation.
As for the hoped-for union of systems management and SEM/SIM products, companies today can enjoy some of the benefits of converged systems and security management, depending on which technology vendors they choose. BMC Software Inc. and Hewlett-Packard Co. have partnered with security vendors in order to integrate security technology into Remedy and OpenView, respectively.
In June, Symantec Corp. said its DeepSight Alert Services and Incident Manager would integrate with BMC's Remedy Help Desk and Action Request system, as part of BMC's Business Service Management program. The union would allow internal IT and security teams to communicate more efficiently and to resolve security incidents and vulnerabilities.
In pursuing its partner approach to OpenView, HP looks at the system management platform as "a framework where many different types of information are collected," says Tony Redmond, vice president and CTO of HP's security program office. "We're fully aware that there are companies who have well-developed (software) suites, but we've said, 'Let's go put our innovation elsewhere and reward the hard work that our partners have done.'"
Rather than add new SEM features and interface layers to OpenView, HP is content to let third-party vendors be sources of data to OpenView, which can digest the handful of significant events that emerge from millions of alerts.
Inching toward interoperability
Technology from vendors such as ArcSight, e-Security, and netForensics can exchange information with OpenView through software plug-ins, allowing OpenView to absorb events generated by those SEM products and enabling the SEM products to recognize network or system management events that originate in OpenView. Similarly, netForensics' products can send alarms that will be registered in OpenView systems.
But the level of integration between SEM/SIM products and systems management platforms is not uniform, limiting customers' choices. So, whereas ArcSight counts HP OpenView as a "platinum enterprise partner" and offers some integration with that system management platform, potential ArcSight customers who use Unicenter or Tivoli will have to travel a rougher road to integration, Lunetta says.
CA's Weiss says that his company has produced more than 100 integration kits to link third-party technology products to its eTrust platform and offers a toolkit for customers to integrate custom applications with eTrust.