Big picture security

There was a time when cutting-edge network security meant a firewall on your perimeter and anti-virus software on the desktop. No longer. With the advent of polymorphic Internet worms, application-layer attacks, Trojan horses, adware, spyware, and wireless hacks, the network security picture is more complicated than ever.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft DOWNLOAD PDF Click here to download InfoWorld's special report Security management

The multifaceted threatscape, coupled with a raft of new federal data security regulations, has driven network administrators to devote more rack space and money to security point products such as IDSes, IPSes, vulnerability scanning tools, application-layer firewalls, gateway anti-virus and anti-spam products, and identity and access management tools.

To bring order to the chaos of point products, some companies have begun offering SEM (security event management) or SIM (security incident management) technology. Originally intended to manage the glut of alerts and advisories spit out by IDSes and firewalls, SEM/SIM products are evolving into complex system management tools that monitor a wide range of products and supervise everything from vulnerability information to attack management and patching.

“Sign me up,” you say? Not so fast, caution security-industry analysts and experts. Security management products are still in their infancy, and the bromide they offer isn’t for everyone. Moreover, big changes may be in the works as more and more security products move to standards-based platforms. That means enterprises that think they need security management technology in-house may end up taking a costly detour if they don’t already have a firm grasp of their IT security needs.

Security data glut

It’s difficult to find an IT security expert who doesn’t espouse the need for security management tools. “People are being buried by data,” says Lance Braunstein, executive director at Morgan Stanley. “You’ve got this bucket of firewall logs, router logs, IDS logs -- megabytes of data a minute.”

Managing that data is a pressing issue for network and system administrators, who are presented with unique challenges based on the size of their enterprises. “I can’t think of any other application that requires me to look at gigabytes of data in real time,” Braunstein says. The volume of data -- approximately 10MB per minute at Morgan Stanley -- makes any intelligent analysis harder, he adds.

SEM technology promises to tame that data by centralizing, correlating, and prioritizing log data from various devices, presenting it via sophisticated visualization features that make it easy for network admins to spot security vulnerabilities and evolving attacks.

Typically, SEM products work by gathering log data and logged events from the devices they support. The information is stored in files such as text-based system logs and SNMP traps, which are notifications generated by network devices of significant events, including startups, reboots, and authentication failures.

Because different products record logs and events in different ways, that information must be translated -- or normalized -- into a standard format used by the SEM device’s correlation engine. Depending on the product being used, information capture and translation may be performed by a software client, or agent, residing on the monitored device or transmitted in raw format to a central collection point where it is normalized.

“You can have two different types of IDS products -- say Snort and Cisco. Both can detect a buffer overflow. But Snort might call it ‘xyz,’ whereas Cisco calls it ‘wpq,’ but it’s the same attack,” says Larry Lunetta, vice president of marketing at SEM vendor ArcSight.

Click for larger view.

Surveying the threatscape

Companies such as ArcSight and netForensics offer hardware and software that connect the dots between different sets of security data, while supporting large deployments and sporting sophisticated security data capture, correlation, and visualization features.

netForensics’ nFX product uses a network of collector devices spread throughout a company’s enterprise to gather security data from devices, normalize the data, and aggregate events. It then forwards this information to a central correlation engine, where as many as 20,000 types of messages are boiled down to approximately 100 event types in nine event categories, says Patrick Guay, vice president of product management and marketing at netForensics.

Guay likens the company’s architecture to a pyramid, with security devices making up the broad base. Information is passed up and refined at each stage until it is presented to operators at a SOC (secure operation center) or NOC (network operation center).

After data has been filtered, netForensics’ visualization features display and highlight trends and events such as worm outbreaks -- showing which machines were infected and what other systems were infected as a result. That allows administrators to react more quickly than they could just by sifting through individual logs, cutting off access to infected systems, and applying patches where necessary.