Command & Control

Computerworld - Iraq isn't the only war costing billions. According to Gartner Inc., 4% of IT budgets now go to security hardware and software as companies deploy an army of firewalls, intrusion-detection and -prevention systems, antivirus tools and VPNs, as well as authentication, access-control and identity management systems, to keep out hackers, criminals and other marauders.

But as any commander will tell you, battlefield success isn't just a matter of superior firepower. It also depends on communication.

From an IT standpoint, the challenge is how to best turn a ragtag bunch of security assets—each with its own log files, its own data structure and its own rules—into an elite defensive unit. To achieve this, companies are turning to security information management (SIM) software, which is designed to do for security what products such as Tivoli have done for networks—simplify management, provide greater visibility and improve response times.

Chaim Feldman, network and systems security manager at Bezeq-The Israel Telecommunications Corp., Israel's national telecommunications provider, reports that his company wards off 3,000 to 4,000 attacks per month. To gain control over the situation, he installed Computer Associates International Inc.'s eTrust Security Command Center (SCC). "Before I had this, I was kind of blind," he says. "I couldn't actually see all of my company."

Stopping the Data Deluge

Establishing comprehensive security requires more than just deploying an ever-expanding array of software and devices. It also means turning them into a coordinated set of managed assets.

"Everything was a big mess," says Jim Patterson, security analyst for the Illinois state government's Legislative Information System. "Even from a major vendor like Cisco, each device had its own reporting console."

To make matters worse, Patterson found that each device's software package typically had to run on its own PC. That meant having to track alerts from an array of machines, all of which needed to be logged onto separately.

Further complicating the issue, the firewalls generated more log traffic than the built-in database could handle. At the recommendation of Cisco Systems Inc., Patterson installed nFX Open Security Platform from netForensics Inc. in Edison, N.J.

"With SIM in place, you can reduce the number of people you need to have monitoring things, since everything is coming into one central station," says Patterson.

Security information management (also called security event management, or SEM) is an outgrowth of the event logs that managers used for network management but is tailored to gather data from security devices.

"The big differentiator is that, in addition to all the logs, a SIM can intake data from devices that don't generate logs or that generate robust but very specific proprietary information," says Gartner analyst Amrit Williams.