“Say you have a system in an area sensitive to the Sarbanes-Oxley regulations, like a general ledger,” ArcSight’s Lunetta says. “If you’re in the last two weeks of the quarter and [ArcSight’s] analytics detects a highly threatening attack, it’s going to recognize it as a high-priority event -- and also something associated with Sarbanes-Oxley -- and coach you to take steps to deal with it.”
Lunetta calls that adding “business relevance” to SEM, a level of intelligence that a wide range of products now promise. ArcSight, netForensics, Network Intelligence, and OpenService all offer SEM technology that performs asset correlation.
As for the hoped-for union of systems management and SEM/SIM products, companies today can enjoy some of the benefits of converged systems and security management, depending on which technology vendors they choose. BMC Software and Hewlett-Packard have partnered with security vendors in order to integrate security technology into Remedy and OpenView, respectively.
In June, Symantec said its DeepSight Alert Services and Incident Manager would integrate with BMC’s Remedy Help Desk and Action Request system, as part of BMC’s Business Service Management program. The union would allow internal IT and security teams to communicate more efficiently and to resolve security incidents and vulnerabilities.
In pursuing its partner approach to OpenView, HP looks at the system management platform as “a framework where many different types of information are collected,” says Tony Redmond, vice president and CTO of HP’s security program office. “We’re fully aware that there are companies who have well-developed [software] suites, but we’ve said, ‘Let’s go put our innovation elsewhere and reward the hard work that our partners have done.’ ”
Rather than add new SEM features and interface layers to OpenView, HP is content to let third-party vendors be sources of data to OpenView, which can digest the handful of significant events that emerge from millions of alerts.
Inching toward interoperability
Technology from vendors such as ArcSight, e-Security, and netForensics can exchange information with OpenView through software plug-ins, allowing OpenView to absorb events generated by those SEM products and enabling the SEM products to recognize network or system management events that originate in OpenView. Similarly, netForensics’ products can send alarms that will be registered in OpenView systems.
But the level of integration between SEM/SIM products and systems management platforms is not uniform, limiting customers’ choices. So, whereas ArcSight counts HP OpenView as a “platinum enterprise partner” and offers some integration with that system management platform, potential ArcSight customers who use Unicenter or Tivoli will have to travel a rougher road to integration, Lunetta says.
CA’s Weiss says that his company has produced more than 100 integration kits to link third-party technology products to its eTrust platform and offers a toolkit for customers to integrate custom applications with eTrust.
But organizational conflicts, rather than technical gaps, may be the biggest obstacle to greater integration of security management and systems management technology, says Chris Christiansen, vice president of security products at IDC. “You’ve got lots of people who have based their entire careers in certain areas, and they’re not anxious to give that up,” he says. For example, systems management staff are reluctant to give up control of automatic configuration and patch deployment to systems run by security management groups.