Big picture security

ArcSight’s product relies mostly on software “smart agents” to capture logged events and alerts from devices it manages by extracting detailed information from them, categorizing each event, and noting the source of the attack. That information is then encrypted and sent to the ArcSight Manager, a central server that stores the normalized data in an enterprise database and applies specific filters and correlation rules to the events.

Free IT resource Open Source Business Conference (OSBC) May 22-23, 2007 Sponsored by OSBC Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell DOWNLOAD PDF Click here to download InfoWorld's special report Security management

As does netForensics’ nFX, ArcSight normalizes security data -- boiling down diverse information into a common set of 200 fields -- and uses sophisticated graphics to display network status information on a console. Network administrators can link to data retrieved from other security systems such as network vulnerability scanners.

Big players move in

Computer Associates and IBM have also invested heavily in SEM technology in recent years, expanding the reach of their respective Unicenter and Tivoli network management suites. These companies are adding value to existing capabilities -- including identity management, access management, configuration management, and user provisioning -- through integration with SEM components.

For example, IBM’s Tivoli Risk Manager collects and filters information from more than 100 point security devices through standard SNMP or Web services events or through customized events created using tools provided by IBM, says Arvind Krishna, vice president of security and provisioning development at IBM Tivoli.

In addition, the company’s Tivoli Security Compliance Manager automates software vulnerability scans on networks and compares the results of those scans to network security policies. Information collected from those products is then displayed, along with data from other network devices, on the Tivoli Enterprise Console.

Similarly, CA has been focusing development attention on its eTrust Security Command Center, which aggregates and correlates security data from other eTrust components, such as the eTrust Vulnerability Manager, or with third-party security products. The Command Center communicates directly with CA’s Unicenter system management software, passing alerts and status information back and forth to an organization’s network operations team, says Toby Weiss, CA’s senior vice president of product management.

Due at the end of October, the new version of the Command Center will extend the reach of eTrust. It will add tighter integration with eTrust Network Forensics -- a CA product that allows organizations to capture all their network traffic for forensic analysis -- and eTrust 20/20, a product that integrates physical and IT security systems to correlate anomalous behavior.

Consolidating defenses

The increasing interest in integrated SEM among security vendors of all sizes is just one symptom of a larger movement to combine a number of distinct but closely related security technologies -- such as patch management, vulnerability management, and incident management -- that have gained wide adoption in the enterprise in recent years.

The drive for greater integration also stems from a range of new federal and state regulations covering data integrity and privacy, such as Sarbanes-Oxley and California’s SB1386. “You have a number of regulations that have emerged that say, ‘You have to be looking for bad things in your environment, and when you notice them, you have to tell us about them and implement best practices,’ ” says John Summers, global director for managed security services at Unisys.

What’s needed is a fusion between SEM or SIM products and data on asset criticality -- coupled with integrated functions such as identity and access management, user provisioning, change and configuration management, and software patch management.

Click for larger view.

A recent report by IDC called for a higher degree of integration between system and security management products, which would help centralize control over networks, require fewer IT staff members to manage, and allow administrators to better understand the relationship of security events to network availability, among other benefits.

Such a system could allow intelligence about a new security vulnerability that accompanies a software patch to be automatically linked to network policy management systems and be tested against existing ACLs (access control lists) used by firewalls and routers to thwart attacks, Morgan Stanley’s Braunstein says. “Then all that information is logged, and you can do something intelligent with the logs. That’s the real Holy Grail: a fully automated security lifecycle,” he says.

Taking the long view

As it stands, products with that level of integration are three years to five years away. But companies are beginning to pull together some key pieces -- such as connecting the findings of vulnerability scans with security alerts and intelligence on software and hardware asset values -- so that companies can prioritize threats to critical systems.