Corralling Security Data

Computerworld - Like many companies, Online Resources Corp. has deployed host- and network-based intrusion-detection systems (IDS), firewalls and antivirus tools on its networks. But until it installed a security event management suite, the company had a hard time dealing with the deluge of data pouring in from its various security systems. Not only was the incoming data voluminous and highly unreliable, but the IT staff also had to collect it from each system and then manually correlate it.
The Security Information Management suite from Edison, N.J.-based NetForensics Inc. has changed that by automating Online Resources' process of gathering, consolidating, correlating and prioritizing that data, says Hugh McArthur, information security officer at the Reston, Va.-based online bill processor. "It has given us a single place where we can go to get the information we need," he says.
Many companies are turning to centralized security event management tools to help them make sense of crucial security information, analysts say. The ever-increasing number of security appliances around the network perimeter has created a stream of data that needs to be analyzed and correlated, says Michael Engle, vice president of information security at Lehman Brothers Holdings Inc. in New York.
New and proposed regulations that will require companies to constantly monitor their networks for security incidents are also increasing interest in these tools, says Michael Rasmussen, an analyst at Forrester Research Inc. in Cambridge, Mass. "There is a tremendous driver in the security standards and legislation area. The reason why people are buying [such technology] is a direct result of this," he says.
Volume Control
IDSs, firewalls and antivirus software, as well as operating systems and applications software, can detect and report an enormous number of security events daily, say users and analysts.
For instance, the security incident management system at Lehman gathers and analyzes information about more than 1 million events from 15 different systems daily, according to Engle. This includes data from IDSs and authentication systems, a telephony password reset system and an anomaly-detection system, as well as logs from Lehman's main e-commerce, Windows and Unix systems.
By year's end, the firm hopes to have a new system in place that will help it gather and analyze more than 80 million daily events, including consolidated firewall log data.
Sifting through this volume of data without some sort of consolidation and correlation technology is nearly impossible, thereby making the data worthless, says Pete White, a security architect at Houston-based M.D. Anderson Cancer Center, whose own firewalls generate between 15 and 30 alerts every second. Security