“You can have two different types of IDS products -- say Snort and Cisco. Both can detect a buffer overflow. But Snort might call it ‘xyz,’ whereas Cisco calls it ‘wpq,’ but it’s the same attack,” says Larry Lunetta, vice president of marketing at SEM vendor ArcSight.
Click for larger view.
Companies such as ArcSight and netForensics offer hardware and software that connect the dots between different sets of security data, while supporting large deployments and sporting sophisticated security data capture, correlation, and visualization features.
netForensics’ nFX product uses a network of collector devices spread throughout a company’s enterprise to gather security data from devices, normalize the data, and aggregate events. It then forwards this information to a central correlation engine, where as many as 20,000 types of messages are boiled down to approximately 100 event types in nine event categories, says Patrick Guay, vice president of product management and marketing at netForensics.
Guay likens the company’s architecture to a pyramid, with security devices making up the broad base. Information is passed up and refined at each stage until it is presented to operators at a SOC (secure operation center) or NOC (network operation center).
After data has been filtered, netForensics’ visualization features display and highlight trends and events such as worm outbreaks -- showing which machines were infected and what other systems were infected as a result. That allows administrators to react more quickly than they could just by sifting through individual logs, cutting off access to infected systems, and applying patches where necessary.
ArcSight’s product relies mostly on software “smart agents” to capture logged events and alerts from devices it manages by extracting detailed information from them, categorizing each event, and noting the source of the attack. That information is then encrypted and sent to the ArcSight Manager, a central server that stores the normalized data in an enterprise database and applies specific filters and correlation rules to the events.
As does netForensics’ nFX, ArcSight normalizes security data -- boiling down diverse information into a common set of 200 fields -- and uses sophisticated graphics to display network status information on a console. Network administrators can link to data retrieved from other security systems such as network vulnerability scanners.
Big players move in
Computer Associates and IBM have also invested heavily in SEM technology in recent years, expanding the reach of their respective Unicenter and Tivoli network management suites. These companies are adding value to existing capabilities -- including identity management, access management, configuration management, and user provisioning -- through integration with SEM components.
For example, IBM’s Tivoli Risk Manager collects and filters information from more than 100 point security devices through standard SNMP or Web services events or through customized events created using tools provided by IBM, says Arvind Krishna, vice president of security and provisioning development at IBM Tivoli.