Managing it all

WHILE ENTERPRISES loaded up on security-related technologies from anti-virus to IDS (intrusion detection system) solutions during the past few years, a new problem was brewing: how to aggregate the streams of information coming from the various security devices throughout a network and correlate that data to help IT prioritize and respond to threats?

Making sense of data from a patchwork of point security solutions is a major goal, and a bevy of vendors is stepping forward to meet the challenge. However, so-called "security event management" products -- including software, appliances, and managed services from Guardent, Network Intelligence, Symantec, ISS, ArcSight, Netforensics, and eSecurity -- face an array of technology challenges, ranging from data management and integration to scalability and analytics to making the data actionable.

Data management, integration, and scalability

The basic concept behind security event management is to tap and correlate data from a variety of devices on the network in real time, enabling a 360-degree view of potential threats. Data sources include security-layer devices such as firewalls, VPNs, anti-virus and IDS; network-layer devices such as routers, hubs, and switches; host systems and their OS audit trails; and storage systems.

Many of these devices perform some security reporting and analysis on their own, but that data must be pulled together, normalized, and put into a common format. The challenge can be compounded by both the volume and variety of the data: a Cisco router, for example, can have more than 6,000 message types (event signatures); a Windows host server can have over 7,000. In the absence of industry standards, mapping related messages from different vendors' products requires a superset taxonomy constructed by each event management vendor.

"It's not rocket science," says Matt Stevens, vice president of technology at Network Intelligence in Walpole, Mass. "It's just a lot of hard work."

Although efforts are under way to standardize a dictionary that would make it easy to normalize security event data, industry squabbling seems to be impeding progress. "In the late '90s and early 2000s, most sensor vendors wanted to be at the top of that stack," says Jerry Brady, CTO of Waltham, Mass.-based Guardent. "That led to the development of very proprietary protocols and data models, different event representations. It's hard to link that data together."

Efforts are under way to develop standardized security-event representations, including the CVE (Common Vulnerabilities and Exposures) project and those under way at the Computer Emergency Response Team (CERT) Coordination Center. Internet Emergency Task Force (IETF) groups have been working on both IDXP (Intrusion Detection Exchange Protocol), a standard protocol for intrusion detection systems, and IDMEF (Intrusion Detection Message Exchange Format), but both are focused on signature-based IDSes and may not cover data from VPNs, firewalls, and other key devices. Some vendors are pushing their own protocols, such as Symantec with its SESA (Symantec Enterprise Security Architecture). Others are trying to tie into the work of the Distributed Management Task Force (DMTF) for logging, alerting, and reporting.

The data management challenge is made all the more intense by the sheer volume of data that security event management systems must process and store in real time -- up to tens of thousands of events per second.