WHILE ENTERPRISES loaded up on security-related technologies from anti-virus to IDS (intrusion detection system) solutions during the past few years, a new problem was brewing: how to aggregate the streams of information coming from the various security devices throughout a network and correlate that data to help IT prioritize and respond to threats?
Making sense of data from a patchwork of point security solutions is a major goal, and a bevy of vendors is stepping forward to meet the challenge. However, so-called "security event management" products -- including software, appliances, and managed services from Guardent, Network Intelligence, Symantec, ISS, ArcSight, Netforensics, and eSecurity -- face an array of technology challenges, ranging from data management and integration to scalability and analytics to making the data actionable.
Data management, integration, and scalability
The basic concept behind security event management is to tap and correlate data from a variety of devices on the network in real time, enabling a 360-degree view of potential threats. Data sources include security-layer devices such as firewalls, VPNs, anti-virus and IDS; network-layer devices such as routers, hubs, and switches; host systems and their OS audit trails; and storage systems.
Many of these devices perform some security reporting and analysis on their own, but that data must be pulled together, normalized, and put into a common format. The challenge can be compounded by both the volume and variety of the data: a Cisco router, for example, can have more than 6,000 message types (event signatures); a Windows host server can have over 7,000. In the absence of industry standards, mapping related messages from different vendors' products requires a superset taxonomy constructed by each event management vendor.
"It's not rocket science," says Matt Stevens, vice president of technology at Network Intelligence in Walpole, Mass. "It's just a lot of hard work."
Although efforts are under way to standardize a dictionary that would make it easy to normalize security event data, industry squabbling seems to be impeding progress. "In the late '90s and early 2000s, most sensor vendors wanted to be at the top of that stack," says Jerry Brady, CTO of Waltham, Mass.-based Guardent. "That led to the development of very proprietary protocols and data models, different event representations. It's hard to link that data together."
Efforts are under way to develop standardized security-event representations, including the CVE (Common Vulnerabilities and Exposures) project and those under way at the Computer Emergency Response Team (CERT) Coordination Center. Internet Emergency Task Force (IETF) groups have been working on both IDXP (Intrusion Detection Exchange Protocol), a standard protocol for intrusion detection systems, and IDMEF (Intrusion Detection Message Exchange Format), but both are focused on signature-based IDSes and may not cover data from VPNs, firewalls, and other key devices. Some vendors are pushing their own protocols, such as Symantec with its SESA (Symantec Enterprise Security Architecture). Others are trying to tie into the work of the Distributed Management Task Force (DMTF) for logging, alerting, and reporting.
The data management challenge is made all the more intense by the sheer volume of data that security event management systems must process and store in real time -- up to tens of thousands of events per second.
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »Download a free 30day trial and experience how XenDesktop delivers a pristine, ondemand desktop experience to users on whatever device they choose, while cutting IT complexity and costs.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation

Sign up to receive Security Resource Alerts
With the continuous expansion of data capacity, completing the full cycle of a scheduled scan can be a very time consuming process. Find out how to efficiently secure EMC Celerra with centralized virus scanning, virus pattern file updates, event reporting and antivirus configuration.
Download now! »A single virus-infected file in a storage system can be responsible for infecting large amounts of data. This white paper details the architecture and product features of Trend Micro's data storage security solution, ServerProtect, and discusses how it has been designed to protect EMC Celerra file servers with minimal overhead.
Download now! »The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.
Download now! »With the emergence of mixed threat attacks, a failure on a single server can quickly impact the entire network. Learn how a technology that is designed to remove and block infected files on application and file servers prevents the virus from reaching users and keeps your Windows network free from malware.
Download now! »