In search of security event standards

No standard data format yet exists for end points to report security events. But the industry is trying -- using partnerships rather than standards bodies

Integrating SEM (security event management) technology with existing security and system management infrastructure can be a hair-raising experience. Security point products such as IDSes, anti-virus gateways, and vulnerability scanners tend to use proprietary formats for reporting, recording network events, and issuing alerts. And the standard formats that do exist -- such as SNMP and syslog files -- are limited in what they can convey.

Today, SEM vendors get around the limitations by relying on custom plug-ins or software agents for each security or system management product they want to interact with. For example, Computer Associates has more than 100 integration kits that allow its eTrust Security Command Center to digest data from third-party security software. Most vendors also offer tools or services to integrate information from unsupported products or custom software applications.

To simplify integration and management, universally accepted standards are required so that network end points, security products, and system management platforms can speak a common language. “An event’s not meaningful if we can’t define it. We need a well-defined schema and standards so that any system can generate an auditable event, then have [another system] receive it, classify it, store it, and do analysis,” says Arvind Krishna, vice president of security and provisioning development at IBM Tivoli.

“The day we open Web services interfaces to these [security] devices, everything becomes a lot easier because I don’t need to agree with you about what an event is,” Krishna says. Although such standards have yet to reach the drawing board, industry partnerships are attempting to force security products, networking infrastructure, and clients to play nice.

Trusted Computing Group Trusted Network Connect: A proposed standard for creating an open architecture, Trusted Network Connect seeks to promote end-point standards for communicating the status of operating system updates, anti-virus and IDS signatures, and application patches. Participating vendors include Foundry Networks, InfoExpress, Juniper Networks, McAfee, and Symantec.

Cisco Network Admission Control: This program is part of Cisco’s Self-Defending Network strategy and pairs the company with security stalwarts such as Computer Associates, IBM, McAfee, Symantec, Trend Micro, and the latest member, Microsoft. The program is designed to build bridges that allow security products to communicate directly with Cisco routers, switches, and access-control servers.

Microsoft Network Access Protection: A policy-enforcement platform for Windows Server, Network Access Protection will create a uniform method of determining the “health state” of a computer attempting to access a network. Computer Associates, Extreme Networks, Hewlett-Packard, Juniper Networks, McAfee, Symantec, and Trend Micro are on board.