Calm amidst the storm
Security information management tools help juggle threat data
- By David Essex
- Apr 20, 2006
Bill Geimer has a big, big security problem ? a planet-sized security problem ? at the U.S. Agency for International Development.
"We have a worldwide network in more than 70 different locations, in some of the most underdeveloped countries in the world," said Geimer, program manager in the agency's chief information security office. More than 100 firewalls and dozens of intrusion detection systems watch for threats.
In search of a centralized system to make sense of its data, USAID began investigating security information management products. The agency's need for security information management was for the obvious reasons: collecting, aggregating and correlating data from disparate vendors, Geimer said.
USAID chose the nFX Open Security Platform from netForensics Inc., Edison, N.J. It may be oversimplifying it to attribute all USAID's success to security information management, but it was the only agency to earn an A on the Federal Computer Security Report Card for both 2004 and 2005.
Although USAID was among the early adopters, other federal agencies have moved to full-scale implementations of security information management in just the past year. And it's more than post-Sept. 11 paranoia that's driving government toward security information management. Privacy and security regulations, such as the Federal Information Security Management Act, the Gramm-Leach-Bliley Act of 1999, and the Health Insurance Portability and Accountability Act, prescribe strict guarantees that information is secure and private.
That also means keeping electronic security records safe and accessible for examination by regulators and for use as evidence. "Government agencies have deployed myriad security technologies, and now they want to get their arms around that information," said Ashesh Kamdar, group product manager for Symantec Corp., a security software vendor that sells security information management appliance hardware.
Cost savings is another demand driver, as agencies take a hard look at their growing labor budgets for security and network management.
"These tools help them get out of the grunt work," Kamdar said, referring in part to the laborious manual analysis of security event logs.
That is exactly the situation Glen Sharlun found in 2003 when he was head of the Marine Corps Network Operations and Security Command.
"We had a data overload problem," he said. Too many people were doing computer work, and manually examining security logs for evidence of significant events was inefficient.
After talking with government peers about why they chose or replaced their security information management systems, Sharlun chose the Enterprise Security Manager from ArcSight Inc. of Cupertino, Calif.
The solution helped free security analysts to make decisions on threats, then respond using ESM's workflow and time-stamping features as well as Houston-based BMC Software Inc.'s Remedy help-desk software.
"Most of the information coming across a firewall is noise," said Tracy Hulver, director of product management for netForensics. "The first thing security information management does is take all those messages and filter them down."
What ultimately distinguishes security information management is its ability to paint a more complete, risk-adjusted assessment of an agency's security profile. Its sensitivity to the business values of IT assets can, for example, prevent security teams from wasting hours eradicating worms from a mobile worker's laptop while a denial-of-service attack is exploding on the mail server.
SIM tools also help with the regulatory piece by calling special attention to threats to systems that have the greatest role in compliance. Some integrate directly with third-party compliance software.
Security information management products come in two configurations: software that runs on a server platform, generally of your choosing; and network appliances that prepackage everything in a neat little box.
Usually, servers are more flexible and easier to scale up to meet future demand, but they can be hard to configure. Appliances help avoid most setup hassles and may offer better performance, but tend to be less configurable.
Agencies' needs vary. Wherever your customer stands in the agent vs. agentless decision, spotting a threat is important, but response is what counts. Security information management tools can take up to three approaches:»
They can have incident response built in, providing trouble tickets and alerts that security analysts can pass to network operations staff for remedial action.»
They can pass data and alerts directly to help-desk programs.»
Security and network teams use a help-desk tool to manually enter security information management information.
Tools typically don't initiate responses without human intervention. The secured assets are too valuable, and the software is not yet smart enough to be trusted.
"Automatic response is a scary term for most customers, and rightly so," said Sharlun, ArcSight's director of strategic application solutions. Some users program their security information management systems to take action that can be safely standardized, such as shutting down a server infected with a known, fast-moving worm.
Perhaps the most important reason Security information management plays a more passive role in network security is that its functionality typically spans two groups in an organization. Any platform you choose should have features that bridge the divide.
Centers for network operations and security operations usually are separate departments and cultures that don't always work well together. Security information management is a security operations thing, but remediation often gets thrown into network operations' lap.
"The network guys just do not like the idea of a tool going out and messing with their infrastructure," said Paul Stamp, senior analyst at Forrester Research. The culture clash may be especially obvious in large organizations, said Calvin Chai, marketing manager for Cisco System's CS-MARS SIM appliance.
But the more important issue is a blurring of the lines of responsibility. The security operations center's purview once was defining security policy and monitoring threats. "We've seen security becoming more integrated into the network infrastructure itself," Chai said.
Vendors see this as a chance to add integration and collaboration features.
"There's this historic divide between network operations guys and security operations guys, and there's always discussion on how to better integrate those two," Current Analysis' Braunberg said.
Linking approval workflows is one solution. Better data sharing is another. For example, network operations center staff might misdiagnose a performance degradation issue until security operations staff alerts them to a denial-of-service attack.
As network attacks have evolved into lightning-quick, so-called "zero-day" threats, they've nearly surpassed the original security information management technology. Vendors, among them Cisco and Network Intelligence, are touting new features that expand their ability to offer real-time monitoring and response by analyzing network-traffic streams. As a result, security information management is evolving into security information and event management.
Moreover, agencies and integrators increasingly recognize that threats also come from inside their walls, from employees who have access to the network and mean to do it harm.
"We have some very sophisticated U.S. government customers using us for insider threat detection," said Steve Sommer, senior vice president at ArcSight.
Monitoring firewalls and other edge devices helps little. "They're harder to detect," Sommer said of insider threats. "You have to do different types of analysis."
While security information management can help make sense of a complex network, it's not a silver bullet. To think of it as an all-powerful expert system, "I think we're a long way away from that," Stamp said.
David Essex is a freelance technology writer in Antrim, N.H.