Calm amidst the storm

Security information management tools help juggle threat data

RFP CHECKLIST: Security information management

Looking to roll out a security information management solution? Experts said you should:

» Begin with the end in mind. Ask what you want to achieve with a security information management system. Pay attention to the workflow between security and operations teams, and the reporting requirements of federal regulators such as the Homeland Security Department's US-CERT. Business process, not network architecture, is what drives such a system.

» Outline additional, survivable storage infrastructure that may be needed to keep security information management data not only available to security analysts but also archived for compliance. You might need to design a storage hierarchy and buy new RAID devices, storage area networks and appliances to ensure data is available for security and compliance purposes.

» Ask vendors how their products use caching, failover and redundancy to respond to a database crash. Don't overbuy if your customer's needs are modest enough to be served by an affordable appliance that doesn't have failover features.

» Choose the database wisely. Most vendors offer so-called open-standards databases, such as Oracle Database, but some may keep their programming hooks private. Some claim their proprietary databases have performance and analytical advantages over generic relational databases.

» Make sure the product can collect all relevant data, not only from intrusion detection systems, firewalls and other security devices, but also from operating systems and both custom and commercial applications. If there's no pre-built connector for a data source, take a look at vendors' integration wizards and support services.

» Ask vendors how easy it is to customize correlation rules for a unique environment.

» Scrutinize scalability. In addition to handling your customer's load of security events (probably a bytes- or events-per-second number that you know), solutions should scale up and out to meet anticipated growth.

» Ask vendors to explain the assumptions behind their performance metrics, as they can vary. Rule of thumb: The more devices to monitor, the heavier the data load. Once chosen, a vendor will work closely with your customers.

» Look for a healthy complement of canned report formats for key compliance regulations, especially the Federal Information Security Management Act, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act.

» Watch for version dissonance between your customers' security devices and the security information management product. If they've recently upgraded an intrusion detection system, for example, make sure the vendor supports it or has plans to do so.

Michael Bechetti

Bill Geimer has a big, big security problem ? a planet-sized security problem ? at the U.S. Agency for International Development.

"We have a worldwide network in more than 70 different locations, in some of the most underdeveloped countries in the world," said Geimer, program manager in the agency's chief information security office. More than 100 firewalls and dozens of intrusion detection systems watch for threats.

In search of a centralized system to make sense of its data, USAID began investigating security information management products. The agency's need for security information management was for the obvious reasons: collecting, aggregating and correlating data from disparate vendors, Geimer said.

USAID chose the nFX Open Security Platform from netForensics Inc., Edison, N.J. It may be oversimplifying it to attribute all USAID's success to security information management, but it was the only agency to earn an A on the Federal Computer Security Report Card for both 2004 and 2005.

Although USAID was among the early adopters, other federal agencies have moved to full-scale implementations of security information management in just the past year. And it's more than post-Sept. 11 paranoia that's driving government toward security information management. Privacy and security regulations, such as the Federal Information Security Management Act, the Gramm-Leach-Bliley Act of 1999, and the Health Insurance Portability and Accountability Act, prescribe strict guarantees that information is secure and private.

That also means keeping electronic security records safe and accessible for examination by regulators and for use as evidence. "Government agencies have deployed myriad security technologies, and now they want to get their arms around that information," said Ashesh Kamdar, group product manager for Symantec Corp., a security software vendor that sells security information management appliance hardware.

Cost savings is another demand driver, as agencies take a hard look at their growing labor budgets for security and network management.

"These tools help them get out of the grunt work," Kamdar said, referring in part to the laborious manual analysis of security event logs.

That is exactly the situation Glen Sharlun found in 2003 when he was head of the Marine Corps Network Operations and Security Command.

"We had a data overload problem," he said. Too many people were doing computer work, and manually examining security logs for evidence of significant events was inefficient.

After talking with government peers about why they chose or replaced their security information management systems, Sharlun chose the Enterprise Security Manager from ArcSight Inc. of Cupertino, Calif.

The solution helped free security analysts to make decisions on threats, then respond using ESM's workflow and time-stamping features as well as Houston-based BMC Software Inc.'s Remedy help-desk software.

"Most of the information coming across a firewall is noise," said Tracy Hulver, director of product management for netForensics. "The first thing security information management does is take all those messages and filter them down."

What ultimately distinguishes security information management is its ability to paint a more complete, risk-adjusted assessment of an agency's security profile. Its sensitivity to the business values of IT assets can, for example, prevent security teams from wasting hours eradicating worms from a mobile worker's laptop while a denial-of-service attack is exploding on the mail server.

SIM tools also help with the regulatory piece by calling special attention to threats to systems that have the greatest role in compliance. Some integrate directly with third-party compliance software.

Security information management products come in two configurations: software that runs on a server platform, generally of your choosing; and network appliances that prepackage everything in a neat little box.

Usually, servers are more flexible and easier to scale up to meet future demand, but they can be hard to configure. Appliances help avoid most setup hassles and may offer better performance, but tend to be less configurable.

Agencies' needs vary. Wherever your customer stands in the agent vs. agentless decision, spotting a threat is important, but response is what counts. Security information management tools can take up to three approaches:

» They can have incident response built in, providing trouble tickets and alerts that security analysts can pass to network operations staff for remedial action.

» They can pass data and alerts directly to help-desk programs.

» Security and network teams use a help-desk tool to manually enter security information management information.

Tools typically don't initiate responses without human intervention. The secured assets are too valuable, and the software is not yet smart enough to be trusted.

"Automatic response is a scary term for most customers, and rightly so," said Sharlun, ArcSight's director of strategic application solutions. Some users program their security information management systems to take action that can be safely standardized, such as shutting down a server infected with a known, fast-moving worm.

Perhaps the most important reason Security information management plays a more passive role in network security is that its functionality typically spans two groups in an organization. Any platform you choose should have features that bridge the divide.

Centers for network operations and security operations usually are separate departments and cultures that don't always work well together. Security information management is a security operations thing, but remediation often gets thrown into network operations' lap.

"The network guys just do not like the idea of a tool going out and messing with their infrastructure," said Paul Stamp, senior analyst at Forrester Research. The culture clash may be especially obvious in large organizations, said Calvin Chai, marketing manager for Cisco System's CS-MARS SIM appliance.

But the more important issue is a blurring of the lines of responsibility. The security operations center's purview once was defining security policy and monitoring threats. "We've seen security becoming more integrated into the network infrastructure itself," Chai said.

Vendors see this as a chance to add integration and collaboration features.

"There's this historic divide between network operations guys and security operations guys, and there's always discussion on how to better integrate those two," Current Analysis' Braunberg said.

Linking approval workflows is one solution. Better data sharing is another. For example, network operations center staff might misdiagnose a performance degradation issue until security operations staff alerts them to a denial-of-service attack.

As network attacks have evolved into lightning-quick, so-called "zero-day" threats, they've nearly surpassed the original security information management technology. Vendors, among them Cisco and Network Intelligence, are touting new features that expand their ability to offer real-time monitoring and response by analyzing network-traffic streams. As a result, security information management is evolving into security information and event management.

Moreover, agencies and integrators increasingly recognize that threats also come from inside their walls, from employees who have access to the network and mean to do it harm.

"We have some very sophisticated U.S. government customers using us for insider threat detection," said Steve Sommer, senior vice president at ArcSight.

Monitoring firewalls and other edge devices helps little. "They're harder to detect," Sommer said of insider threats. "You have to do different types of analysis."

While security information management can help make sense of a complex network, it's not a silver bullet. To think of it as an all-powerful expert system, "I think we're a long way away from that," Stamp said.

David Essex is a freelance technology writer in Antrim, N.H.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB