There was a time when cutting-edge network security meant a firewall on your perimeter and anti-virus software on the desktop. No longer. With the advent of polymorphic Internet worms, application-layer attacks, Trojan horses, adware, spyware, and wireless hacks, the network security picture is more complicated than ever.
The multifaceted threatscape, coupled with a raft of new federal data security regulations, has driven network administrators to devote more rack space and money to security point products such as IDSes, IPSes, vulnerability scanning tools, application-layer firewalls, gateway anti-virus and anti-spam products, and identity and access management tools.
To bring order to the chaos of point products, some companies have begun offering SEM (security event management) or SIM (security incident management) technology. Originally intended to manage the glut of alerts and advisories spit out by IDSes and firewalls, SEM/SIM products are evolving into complex system management tools that monitor a wide range of products and supervise everything from vulnerability information to attack management and patching.
“Sign me up,” you say? Not so fast, caution security-industry analysts and experts. Security management products are still in their infancy, and the bromide they offer isn’t for everyone. Moreover, big changes may be in the works as more and more security products move to standards-based platforms. That means enterprises that think they need security management technology in-house may end up taking a costly detour if they don’t already have a firm grasp of their IT security needs.
Security data glut
It’s difficult to find an IT security expert who doesn’t espouse the need for security management tools. “People are being buried by data,” says Lance Braunstein, executive director at Morgan Stanley. “You’ve got this bucket of firewall logs, router logs, IDS logs -- megabytes of data a minute.”
Managing that data is a pressing issue for network and system administrators, who are presented with unique challenges based on the size of their enterprises. “I can’t think of any other application that requires me to look at gigabytes of data in real time,” Braunstein says. The volume of data -- approximately 10MB per minute at Morgan Stanley -- makes any intelligent analysis harder, he adds.
SEM technology promises to tame that data by centralizing, correlating, and prioritizing log data from various devices, presenting it via sophisticated visualization features that make it easy for network admins to spot security vulnerabilities and evolving attacks.
Typically, SEM products work by gathering log data and logged events from the devices they support. The information is stored in files such as text-based system logs and SNMP traps, which are notifications generated by network devices of significant events, including startups, reboots, and authentication failures.
Because different products record logs and events in different ways, that information must be translated -- or normalized -- into a standard format used by the SEM device’s correlation engine. Depending on the product being used, information capture and translation may be performed by a software client, or agent, residing on the monitored device or transmitted in raw format to a central collection point where it is normalized.
“You can have two different types of IDS products -- say Snort and Cisco. Both can detect a buffer overflow. But Snort might call it ‘xyz,’ whereas Cisco calls it ‘wpq,’ but it’s the same attack,” says Larry Lunetta, vice president of marketing at SEM vendor ArcSight.