What the heck is security event management, anyway?

You know that a software category has 'arrived' when it gets so complex and multi-stranded that people develop whole new categories of software to try and tie it all together again, and so it is with the burgeoning network security business.

Whether it's security event management, enterprise security management or security information management, the message is the same: it's all getting out of hand, says Larry Lunetta, marketing and business development VP at software developer Arcsight. More than that, there are whole new groups of people involved who didn't need to know about security before.

"When we started we focused on helping the security group from an IT perspective, but now there's more stakeholders involved - the needs have evolved," he says. "Company directors just wanted protection, but now it's a matter of corporate governance - how can you sign off your financials if you don't know whether your business processes have been subverted at some level?"

Arcsight is one of several companies that have formed to address this need, alongside other relative newcomers such as NetForensics and more mainstream players like CA and Symantec. They may approach it slightly differently but in each case the aim is the same - to pull together the masses of data generated by stand-alone security products and make sense of it all.

Lunetta says that although providing a single point of management is important, there are other benefits too. For example, if the systems are not linked somewhere, no-one might notice if one of your users logs into the VPN while travelling in Sweden, while at the same time their swipe-card is used to gain access to head office in the UK.

"Firewalls, IDS and so on all produce huge volumes of alerts, all with different consoles and message formats, and very difficult to parse by hand," Lunetta says. "Each product is too focused on individual points in the network, while the security people have the expertise but nowhere is it all pulled together."

The solution offered by Arcsight (and its rivals) is to use agents on the various systems to pull in the raw messages - it has interfaces for around 120 interfaces from 60 vendors - and then normalise them into a common format before storing them in a common database.

"Then we do priority analysis," says Lunetta. "A classic IDS false positive is a Windows attack sent to a Linux system - we can suppress that because we know the system is not vulnerable. This a very high speed data management system, with analysis and rules-based correlation as key functions. The litmus test for security software is how intelligent can it be in focusing your attention."

The security system also ties into the network management system, because the two need to interact. And now, with all those extra people wanting to know the organisation is secure - or if it is insecure, which areas of the business are affected by that - it ties into the business processes and non-IT systems too.

But although security management overlaps in some areas with network management, Lunetta doesn't see the two merging.

"A large organisation might have a network management overlay, and security could be a subset of that," he says. "We can act as middleware for HP Openview, Micromuse, and so on. The two differences between the environments are the volumes of information and the domain expertise needed to do the job.

"It's tempting to try to bolt the capability onto network management but I don't believe they have the volume capability - we're doing something with the information."

Sadly though, there is little sign of the need to normalise security data going away. "The vendors are very protective of their data formats and the investments they've made," Lunetta says. "There was an attempt three or four years ago but each vendor saw some flaw in it."

What is improving, in the US at least, is how organisations share data on attacks, instead of concealing their losses out of embarrassment or so-called commercial confidence. Lunetta says this is mostly under pressure from legislation and predicts that European organisations will probably have to follow suit, before long.

"We are sponsoring research with CERT to develop a better view of security interchange formats and how organisations share information - it's sort of like an industry sector neighbourhood watch. There's a lot of virtue in saying that if one entity is attacked, others can prepare better for the same attack.

"Concealment is going away. In the US, 80 percent of the critical infrastructure is in private hands so it's no longer an issue of corporate embarrassment, it's national security. Plus there are laws, for example California requires organisations that have been compromised and have lost data to publicly declare that within 24 hours.

This story, "What the heck is security event management, anyway?" was originally published by Techworld.com.

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon