“Say you have a system in an area sensitive to the Sarbanes-Oxley regulations, like a general ledger,” ArcSight’s Lunetta
says. “If you’re in the last two weeks of the quarter and [ArcSight’s] analytics detects a highly threatening attack, it’s
going to recognize it as a high-priority event -- and also something associated with Sarbanes-Oxley -- and coach you to take
steps to deal with it.”
Lunetta calls that adding “business relevance” to SEM, a level of intelligence that a wide range of products now promise.
ArcSight, netForensics, Network Intelligence, and OpenService all offer SEM technology that performs asset correlation.
As for the hoped-for union of systems management and SEM/SIM products, companies today can enjoy some of the benefits of converged
systems and security management, depending on which technology vendors they choose. BMC Software and Hewlett-Packard have
partnered with security vendors in order to integrate security technology into Remedy and OpenView, respectively.
In June, Symantec said its DeepSight Alert Services and Incident Manager would integrate with BMC’s Remedy Help Desk and Action
Request system, as part of BMC’s Business Service Management program. The union would allow internal IT and security teams
to communicate more efficiently and to resolve security incidents and vulnerabilities.
In pursuing its partner approach to OpenView, HP looks at the system management platform as “a framework where many different
types of information are collected,” says Tony Redmond, vice president and CTO of HP’s security program office. “We’re fully
aware that there are companies who have well-developed [software] suites, but we’ve said, ‘Let’s go put our innovation elsewhere
and reward the hard work that our partners have done.’ ”
Rather than add new SEM features and interface layers to OpenView, HP is content to let third-party vendors be sources of
data to OpenView, which can digest the handful of significant events that emerge from millions of alerts.
Inching toward interoperability
Technology from vendors such as ArcSight, e-Security, and netForensics can exchange information with OpenView through software
plug-ins, allowing OpenView to absorb events generated by those SEM products and enabling the SEM products to recognize network
or system management events that originate in OpenView. Similarly, netForensics’ products can send alarms that will be registered
in OpenView systems.
But the level of integration between SEM/SIM products and systems management platforms is not uniform, limiting customers’
choices. So, whereas ArcSight counts HP OpenView as a “platinum enterprise partner” and offers some integration with that
system management platform, potential ArcSight customers who use Unicenter or Tivoli will have to travel a rougher road to
integration, Lunetta says.
CA’s Weiss says that his company has produced more than 100 integration kits to link third-party technology products to its
eTrust platform and offers a toolkit for customers to integrate custom applications with eTrust.
But organizational conflicts, rather than technical gaps, may be the biggest obstacle to greater integration of security management
and systems management technology, says Chris Christiansen, vice president of security products at IDC. “You’ve got lots of
people who have based their entire careers in certain areas, and they’re not anxious to give that up,” he says. For example,
systems management staff are reluctant to give up control of automatic configuration and patch deployment to systems run by
security management groups.
“If you’re a sys admin, you’re going to be territorial about the systems you manage,” Morgan Stanley’s Braunstein says. “You
don’t want lots of people with root or enable [privileges].” Although they might not be able to simply merge network security
and network operations groups, companies can improve the way these groups manage systems and the data they generate, making
central control and automatic provisioning more than just a pipe dream.
Security from all sides
Fiscal austerity is one of the main motivations for consolidating security functions, as enterprises look for ways to manage
their network without adding head count. “Companies just don’t have the budget to hire people at the rate that they’re adding
new hardware,” netForensics’ Guay says. “The days of having separate IDS and firewall support teams are gone.”
For companies interested in better network security management but wary about making a major IT investment amid so much change,
MSSPs (managed security services providers) offer an appealing option. Such services offload the difficult management and
integration problem to security experts and allow companies to aggregate security information from hundreds or thousands of
security devices, providing better information on emerging security threats.
In the end, however, there’s no silver bullet for the security management problem. All-encompassing SEM solutions work for
some organizations but not others. “To some extent, the multiplicity of answers is applicable to the complex nature of the
problem. Some people might see [security management] as a chaotic situation, but others just see multiple ways of getting
to the same solution,” IDC’s Christiansen says.
For companies exploring SEM/SIM technology, IBM’s Krishna advises a measured approach. “People try to do too much,” he says.
“It’s like trying to juggle 50 balls. We tell our customers, ‘You can do all these hundreds of things, but let’s be focused
and do two. We’ll get those under our belt, then do two more.’ ”
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
