There was a time when cutting-edge network security meant a firewall on your perimeter and anti-virus software on the desktop. No longer. With the advent of polymorphic Internet worms, application-layer attacks, Trojan horses, adware, spyware, and wireless hacks, the network security picture is more complicated than ever.
The multifaceted threatscape, coupled with a raft of new federal data security regulations, has driven network administrators to devote more rack space and money to security point products such as IDSes, IPSes, vulnerability scanning tools, application-layer firewalls, gateway anti-virus and anti-spam products, and identity and access management tools.
To bring order to the chaos of point products, some companies have begun offering SEM (security event management) or SIM (security incident management) technology. Originally intended to manage the glut of alerts and advisories spit out by IDSes and firewalls, SEM/SIM products are evolving into complex system management tools that monitor a wide range of products and supervise everything from vulnerability information to attack management and patching.
"Sign me up," you say? Not so fast, caution security-industry analysts and experts. Security management products are still in their infancy, and the bromide they offer isn't for everyone. Moreover, big changes may be in the works as more and more security products move to standards-based platforms. That means enterprises that think they need security management technology in-house may end up taking a costly detour if they don't already have a firm grasp of their IT security needs.
Security data glut
It's difficult to find an IT security expert who doesn't espouse the need for security management tools. "People are being buried by data," says Lance Braunstein, executive director at Morgan Stanley. "You've got this bucket of firewall logs, router logs, IDS logs -- megabytes of data a minute."
Managing that data is a pressing issue for network and system administrators, who are presented with unique challenges based on the size of their enterprises. "I can't think of any other application that requires me to look at gigabytes of data in real time," Braunstein says. The volume of data -- approximately 10MB per minute at Morgan Stanley -- makes any intelligent analysis harder, he adds.
SEM technology promises to tame that data by centralizing, correlating, and prioritizing log data from various devices, presenting it via sophisticated visualization features that make it easy for network admins to spot security vulnerabilities and evolving attacks.
Typically, SEM products work by gathering log data and logged events from the devices they support. The information is stored in files such as text-based system logs and SNMP traps, which are notifications generated by network devices of significant events, including startups, reboots, and authentication failures.
Because different products record logs and events in different ways, that information must be translated -- or normalized -- into a standard format used by the SEM device's correlation engine. Depending on the product being used, information capture and translation may be performed by a software client, or agent, residing on the monitored device or transmitted in raw format to a central collection point where it is normalized.
"You can have two different types of IDS products -- say Snort and Cisco. Both can detect a buffer overflow. But Snort might call it 'xyz,' whereas Cisco calls it 'wpq,' but it's the same attack," says Larry Lunetta, vice president of marketing at SEM vendor ArcSight Inc.
Surveying the threatscape
Companies such as ArcSight and netForensics Inc. offer hardware and software that connect the dots between different sets of security data, while supporting large deployments and sporting sophisticated security data capture, correlation, and visualization features.
netForensics' nFX product uses a network of collector devices spread throughout a company's enterprise to gather security data from devices, normalize the data, and aggregate events. It then forwards this information to a central correlation engine, where as many as 20,000 types of messages are boiled down to approximately 100 event types in nine event categories, says Patrick Guay, vice president of product management and marketing at netForensics.
Guay likens the company's architecture to a pyramid, with security devices making up the broad base. Information is passed up and refined at each stage until it is presented to operators at a SOC (secure operation center) or NOC (network operation center).
After data has been filtered, netForensics' visualization features display and highlight trends and events such as worm outbreaks -- showing which machines were infected and what other systems were infected as a result. That allows administrators to react more quickly than they could just by sifting through individual logs, cutting off access to infected systems, and applying patches where necessary.
ArcSight's product relies mostly on software "smart agents" to capture logged events and alerts from devices it manages by extracting detailed information from them, categorizing each event, and noting the source of the attack. That information is then encrypted and sent to the ArcSight Manager, a central server that stores the normalized data in an enterprise database and applies specific filters and correlation rules to the events.
As does netForensics' nFX, ArcSight normalizes security data -- boiling down diverse information into a common set of 200 fields -- and uses sophisticated graphics to display network status information on a console. Network administrators can link to data retrieved from other security systems such as network vulnerability scanners.
Big players move in
Computer Associates International Inc. and IBM Corp. have also invested heavily in SEM technology in recent years, expanding the reach of their respective Unicenter and Tivoli network management suites. These companies are adding value to existing capabilities -- including identity management, access management, configuration management, and user provisioning -- through integration with SEM components.
For example, IBM's Tivoli Risk Manager collects and filters information from more than 100 point security devices through standard SNMP or Web services events or through customized events created using tools provided by IBM, says Arvind Krishna, vice president of security and provisioning development at IBM Tivoli.
In addition, the company's Tivoli Security Compliance Manager automates software vulnerability scans on networks and compares the results of those scans to network security policies. Information collected from those products is then displayed, along with data from other network devices, on the Tivoli Enterprise Console.
Similarly, CA has been focusing development attention on its eTrust Security Command Center, which aggregates and correlates security data from other eTrust components, such as the eTrust Vulnerability Manager, or with third-party security products. The Command Center communicates directly with CA's Unicenter system management software, passing alerts and status information back and forth to an organization's network operations team, says Toby Weiss, CA's senior vice president of product management.
Due at the end of October, the new version of the Command Center will extend the reach of eTrust. It will add tighter integration with eTrust Network Forensics -- a CA product that allows organizations to capture all their network traffic for forensic analysis -- and eTrust 20/20, a product that integrates physical and IT security systems to correlate anomalous behavior.
The increasing interest in integrated SEM among security vendors of all sizes is just one symptom of a larger movement to combine a number of distinct but closely related security technologies -- such as patch management, vulnerability management, and incident management -- that have gained wide adoption in the enterprise in recent years.
The drive for greater integration also stems from a range of new federal and state regulations covering data integrity and privacy, such as Sarbanes-Oxley and California's SB1386. "You have a number of regulations that have emerged that say, 'You have to be looking for bad things in your environment, and when you notice them, you have to tell us about them and implement best practices,'" says John Summers, global director for managed security services at Unisys.
What's needed is a fusion between SEM or SIM products and data on asset criticality -- coupled with integrated functions such as identity and access management, user provisioning, change and configuration management, and software patch management.
A recent report by IDC called for a higher degree of integration between system and security management products, which would help centralize control over networks, require fewer IT staff members to manage, and allow administrators to better understand the relationship of security events to network availability, among other benefits.
Such a system could allow intelligence about a new security vulnerability that accompanies a software patch to be automatically linked to network policy management systems and be tested against existing ACLs (access control lists) used by firewalls and routers to thwart attacks, Morgan Stanley's Braunstein says. "Then all that information is logged, and you can do something intelligent with the logs. That's the real Holy Grail: a fully automated security lifecycle," he says.
Taking the long view
As it stands, products with that level of integration are three years to five years away. But companies are beginning to pull together some key pieces -- such as connecting the findings of vulnerability scans with security alerts and intelligence on software and hardware asset values -- so that companies can prioritize threats to critical systems.
"Say you have a system in an area sensitive to the Sarbanes-Oxley regulations, like a general ledger," ArcSight's Lunetta says. "If you're in the last two weeks of the quarter and (ArcSight's) analytics detects a highly threatening attack, it's going to recognize it as a high-priority event -- and also something associated with Sarbanes-Oxley -- and coach you to take steps to deal with it."
Lunetta calls that adding "business relevance" to SEM, a level of intelligence that a wide range of products now promise. ArcSight, netForensics, Network Intelligence Corp., and OpenService Inc. all offer SEM technology that performs asset correlation.
As for the hoped-for union of systems management and SEM/SIM products, companies today can enjoy some of the benefits of converged systems and security management, depending on which technology vendors they choose. BMC Software Inc. and Hewlett-Packard Co. have partnered with security vendors in order to integrate security technology into Remedy and OpenView, respectively.
In June, Symantec Corp. said its DeepSight Alert Services and Incident Manager would integrate with BMC's Remedy Help Desk and Action Request system, as part of BMC's Business Service Management program. The union would allow internal IT and security teams to communicate more efficiently and to resolve security incidents and vulnerabilities.
In pursuing its partner approach to OpenView, HP looks at the system management platform as "a framework where many different types of information are collected," says Tony Redmond, vice president and CTO of HP's security program office. "We're fully aware that there are companies who have well-developed (software) suites, but we've said, 'Let's go put our innovation elsewhere and reward the hard work that our partners have done.'"
Rather than add new SEM features and interface layers to OpenView, HP is content to let third-party vendors be sources of data to OpenView, which can digest the handful of significant events that emerge from millions of alerts.
Inching toward interoperability
Technology from vendors such as ArcSight, e-Security, and netForensics can exchange information with OpenView through software plug-ins, allowing OpenView to absorb events generated by those SEM products and enabling the SEM products to recognize network or system management events that originate in OpenView. Similarly, netForensics' products can send alarms that will be registered in OpenView systems.
But the level of integration between SEM/SIM products and systems management platforms is not uniform, limiting customers' choices. So, whereas ArcSight counts HP OpenView as a "platinum enterprise partner" and offers some integration with that system management platform, potential ArcSight customers who use Unicenter or Tivoli will have to travel a rougher road to integration, Lunetta says.
CA's Weiss says that his company has produced more than 100 integration kits to link third-party technology products to its eTrust platform and offers a toolkit for customers to integrate custom applications with eTrust.
But organizational conflicts, rather than technical gaps, may be the biggest obstacle to greater integration of security management and systems management technology, says Chris Christiansen, vice president of security products at IDC. "You've got lots of people who have based their entire careers in certain areas, and they're not anxious to give that up," he says. For example, systems management staff are reluctant to give up control of automatic configuration and patch deployment to systems run by security management groups.
"If you're a sys admin, you're going to be territorial about the systems you manage," Morgan Stanley's Braunstein says. "You don't want lots of people with root or enable (privileges)." Although they might not be able to simply merge network security and network operations groups, companies can improve the way these groups manage systems and the data they generate, making central control and automatic provisioning more than just a pipe dream.
Security from all sides
Fiscal austerity is one of the main motivations for consolidating security functions, as enterprises look for ways to manage their network without adding head count. "Companies just don't have the budget to hire people at the rate that they're adding new hardware," netForensics' Guay says. "The days of having separate IDS and firewall support teams are gone."
For companies interested in better network security management but wary about making a major IT investment amid so much change, MSSPs (managed security services providers) offer an appealing option. Such services offload the difficult management and integration problem to security experts and allow companies to aggregate security information from hundreds or thousands of security devices, providing better information on emerging security threats.
In the end, however, there's no silver bullet for the security management problem. All-encompassing SEM solutions work for some organizations but not others. "To some extent, the multiplicity of answers is applicable to the complex nature of the problem. Some people might see (security management) as a chaotic situation, but others just see multiple ways of getting to the same solution," IDC's Christiansen says.
For companies exploring SEM/SIM technology, IBM's Krishna advises a measured approach. "People try to do too much," he says. "It's like trying to juggle 50 balls. We tell our customers, 'You can do all these hundreds of things, but let's be focused and do two. We'll get those under our belt, then do two more.'"
In search of security event standards
No standard data format yet exists for end points to report security events. But the industry is trying -- using partnerships rather than standards bodies
Integrating SEM (security event management) technology with existing security and system management infrastructure can be a hair-raising experience. Security point products such as IDSes, anti-virus gateways, and vulnerability scanners tend to use proprietary formats for reporting, recording network events, and issuing alerts. And the standard formats that do exist -- such as SNMP and syslog files -- are limited in what they can convey.
Today, SEM vendors get around the limitations by relying on custom plug-ins or software agents for each security or system management product they want to interact with. For example, Computer Associates has more than 100 integration kits that allow its eTrust Security Command Center to digest data from third-party security software. Most vendors also offer tools or services to integrate information from unsupported products or custom software applications.
To simplify integration and management, universally accepted standards are required so that network end points, security products, and system management platforms can speak a common language. "An event's not meaningful if we can't define it. We need a well-defined schema and standards so that any system can generate an auditable event, then have (another system) receive it, classify it, store it, and do analysis," says Arvind Krishna, vice president of security and provisioning development at IBM Tivoli.
"The day we open Web services interfaces to these (security) devices, everything becomes a lot easier because I don't need to agree with you about what an event is," Krishna says. Although such standards have yet to reach the drawing board, industry partnerships are attempting to force security products, networking infrastructure, and clients to play nice.
Trusted Computing Group Trusted Network Connect: A proposed standard for creating an open architecture, Trusted Network Connect seeks to promote end-point standards for communicating the status of operating system updates, anti-virus and IDS signatures, and application patches. Participating vendors include Foundry Networks Inc., InfoExpress Inc., Juniper Networks Inc., McAfee Inc., and Symantec.
Cisco Network Admission Control: This program is part of Cisco's Self-Defending Network strategy and pairs the company with security stalwarts such as Computer Associates, IBM, McAfee, Symantec, Trend Micro Inc., and the latest member, Microsoft Corp. The program is designed to build bridges that allow security products to communicate directly with Cisco routers, switches, and access-control servers.
Microsoft Network Access Protection: A policy-enforcement platform for Windows Server, Network Access Protection will create a uniform method of determining the "health state" of a computer attempting to access a network. Computer Associates, Extreme Networks Inc., Hewlett-Packard, Juniper Networks, McAfee, Symantec, and Trend Micro are on board.