This article can also be found in the Premium Editorial Download "Information Security magazine: Effective strategies for risk management and security information management systems."
Download it now to read this article plus other related content.
IT'S BEEN ALMOST a decade since security information management (SIM) systems were introduced. During that time, SIM products have evolved from relatively immature log aggregation products that were too expensive for all but the largest enterprises, to mature aggregation and management solutions that provide network and security insight to organizations of all sizes. But SIM solutions aren't done evolving.
As SIM use increases, enterprises are asking vendors for additional functionality, including deeper compliance intelligence and reporting, better visualization, improved incident response and integration of identity awareness. Many companies are leveraging SIMs to increase efficiency and cost savings in their security programs. And some businesses are going beyond security awareness and exploring how the comprehensive view of network and user activity that is collected and parsed by the SIM can be used for proactive risk management and business intelligence.
A CONFUSING BEGINNING
Early on, the SIM space suffered from a number of identity crises. To start with, there wasn't even consensus about what to call the products, and vendors used a variety of acronyms. Part of the problem stemmed from the fact that vendors and their customers approach functionality in different ways. For some, the great promise of SIM was bi-directional management of heterogeneous security devices (also known as MoM--the manager of managers). Others saw the consoles
In early deployments, SIMs were installed in large enterprises and used primarily as log aggregation tools. Although some enterprises spent a significant amount of time and resources crafting custom correlation rules, most gained the greatest value from the ability to collect critical log information from multiple sites and sources in a single, searchable repository using pre-set rules and templates for alerts management. But the landscape changed and the products matured. SIMs became more user friendly and compliance aware. New offerings emerged that were scaled for small and midmarket companies. And most SIM users realized that, although deeply complex correlation rules were not always cost-effective, there were many efficiencies to be gleaned from the powerful log aggregation and reporting that enterprise-ready SIM solutions offered.
MEETING COMPLIANCE DEMANDS
Compliance requirements for protection of personal information and industry standards such as PCI DSS drove many initial SIM purchases and still do today. Trent Henry, principal analyst for research firm Burton Group, says, "Companies that were only monitoring the perimeter devices are moving toward complete log and event aggregation" to meet audit and regulatory requirements. SIM solutions are, at heart, log aggregation engines because the information and events need to be collected and parsed at a central point before prioritized event reporting or correlation rules can be applied.
Most companies using SIM report that centralized log aggregation is the baseline function; without it, the product would not even be installed. But centralized logs and reporting comprise only a portion of the overall compliance landscape. For example, while requirement 10 of PCI explicitly mandates log aggregation, other portions of PCI could be supported with SIM such as the ability to report on who accessed data stores of credit card numbers.
Similarly, properly tuned SIMs can provide reporting and alerting that ease compliance with privacy related regulations such as HIPAA and the new Nevada and upcoming Massachusetts protection standards for personal information.
Section 17.04 of the Massachusetts law requires secure authentication, secure access control to records, and periodic reviews of audit trails. While log aggregation helps with the audit trail reviews by centralizing the information, a SIM tuned to monitor for access control or one that is integrated with a database monitoring tool from vendors such as Application Security, Guardium, or IPLocks, will provide deeper coverage for compliance monitoring and reporting.
SIM tools come with a variety of templates for compliance reporting and basic correlation rules for alerting on access violations. Organizations can use the default templates and reports or customize them as needed. Alberto Cardona, CISO for a large New York newspaper that uses a SIM from eIQnetworks, says the newspaper was able to use the templates included with the SIM, for the most part, "out of the box." Although some customization was required, it wasn't labor intensive and was mostly due to legacy applications with older login mechanisms, he adds.
Now that companies have learned to "walk" through compliance with SIM log aggregation, many of them are breaking into a run and integrating the solutions into a broader compliance program.
Where are you on the evolutionary curve?
One of the most interesting aspects of how SIM has evolved is the move from a security only solution sitting on the periphery of network operations to an integrated part of the business. Here's a look at the different stages of implementation for organizations:
Beginning: Use SIM for log aggregation from security devices and a few critical systems.
Middle: Expanded SIM monitoring to multiple services and devices, incorporating the solution into their compliance program, and implementing both risk and business related rules, reports, and alerts
High end: A proactive risk prevention tool and, in some cases, a business process transformation enabler.
Encompassing whole curve: Transformational usage can occur when business process information captured by the SIM is used by security and operational personnel to assess process efficacy and identify areas for improvement.--Diana Kelley
CLOSING THE RESPONSE WINDOW
Enterprises also are using SIMs to get a better view of their security posture and to improve their incident response. What separates a security event from a user error can be difficult to assess in a limited-view analysis, but becomes clear when understanding the context of the larger system as a whole. A SIM consolidates information from multiple sources including applications, servers, security and perimeter devices, making it possible to determine root causes.
At the newspaper, the layered data inputs are used to hone responses. As Cardeno explains, in a narrow view, an event such as a spike in CPU usage on a server, the root cause might not be apparent. An administrator could attribute the usage increase to a bad patch while an application developer might fear it was a memory leak in the code written for the application running on the server. And a security administrator might assume the spike was caused by a malicious denial-of-service (DoS) attack. With the consolidated view provided by the SIM, an administrator could see that the application log and event data is normal, no recent patches have been applied, and the IDS or IPS is reporting a huge increase in attempted connections to the server, making it likely that the company is experiencing a DoS.
John Menezes, president and CEO of Cyberklix, a managed security service provider (MSSP) that uses RSA's enVision SIM, calls this consolidation "the holistic view of security." Burton Group's Henry agrees, observing that many Burton customers are tweaking their SIMs to get better value out of their IDSes and other security devices. At Ontario, Canada-based Cyberklix, vulnerability management tool information is cross-checked with IDS or IPS events at the SIM console. For example, while an IDS or IPS may report that an exploit is being launched against a target, the vulnerability manager reports "show the target device was patched, so the IDS scan information is a false positive," Menezes says
Of course there's always a possible downside to too much information. And enterprises that suffered through multiyear roll-outs of SIMs slowed by extremely complex correlation rules may read the above with a world-weary sigh. To be effective with a holistic approach, be selective with what is monitored. Start slowly, focus on the highest priority systems, and a limited number rules. Grow the rule-set only when the processes are well understood and the existing rules are functioning smoothly.
In addition to helping sort out the root case of an event, organizations are using SIMs to proactively stop attacks or fix improper changes to systems. At TruMark Financial Credit Union in Pennsylvania, Matt Roedell, vice president of information security and infrastructure, has configured a TriGeo Network Security SIM to monitor and alert on configuration changes like add a user, add a firewall, and AD [Active Directory] reassignment. The SIM automatically emails the change control committee inbox when a change is made. If any process or service works improperly after the change occurs, the team "can immediately call who made the change and ask them what they did and have them back it out," he says.
WHAT'S IDENTITY GOT TO DO WITH IT?
Managing events and logs from security devices is common practice in the SIM world. But what about identity related information? Login information is closely tied to security and risk and SIMs have correlation engines that could use this information to improve the company's security posture. Henry calls identity information the "classic example" of SIM intelligence gathered from devices that are not deployed for security only purposes such as firewalls vulnerability management, and IDS. Vendors with robust identity management offerings, such as CA, IBM, and Novell, have focused on this issue, offering close integration between their identity management solutions and SIM products.
With this integration, a SIM could report a successful login, alerting a company that thought the user was de-provisioned, according to Henry. The login itself is significant but this could also trigger a call to the identity management team to ascertain whether the de-provisioning system is malfunctioning or perhaps not configured to properly deactivate all of a user's accounts. In this way, a SIM could help close the audit loop for identity management systems that don't have mechanisms for monitoring themselves or function as a separate channel for audit monitoring and control.
Companies are reporting that some or all logins to sensitive servers and applications are being monitored by a SIM. This information is used for data protection purposes, ensuring that only legitimate, approved users are accessing protected information, and for compliance reporting of the access. For one business, a SIM helped flag a problem with a new password policy. An auditor had recommended a very strict policy with more than eight characters, no dictionary words, and a password time-to-live (TTL) of two weeks. Because the company had a single sign-on (SSO) solution in place, users only needed to remember one password, but with the new rules, even that one password was too much. Lock-outs shot up and the help desk was overwhelmed with reset calls. While help desk records would have eventually shown the new policy was causing problems with users, the SIM alerts indicated a problem within a couple of days.
At the newspaper, Cardona saw a corollary usage. By using the SIM to monitor key systems, each with a different password, and correlating them with logs, alerts, lock outs and help desk calls, the security team was able to use this information as business justification for investing in an SSO solution.
Perhaps one of the more complex identity options for integrating a SIM with identity management is to create comprehensive user activity profiles that follow a user's activities through the network. This information can be used to track anomalies and possible misuse. An example of this is limiting access to a database using location information. The database administrators may have access to the database from inside the data center or using an approved remote access solution, such as an IPSec VPN, from an approved remote device. If access is granted to a legitimate user from an unapproved network or device, the SIM could issue an alert or possibly trigger an automatic shutdown of the session through communication with network management systems. Though these usage scenarios require more integration and customization work, the pay-offs could be significant depending on your business
Better integration with operational consoles is one feature of the SIM evolution. The days of a separate SOC and NOC may be numbered for many companies that simply can't afford the costs. But the importance of the security information doesn't disappear. And, for some entities, not having some sort of separate audit channel and monitoring solution in place is not an option. To make this work in the enterprise, operation teams are consuming the information from the SIM console into the large meta-consoles like Hewlett-Packard's OpenView, IBM's Tivoli, and CA's NSM (formerly Unicenter). The security team still maintains administrative control of the SIM, but the operations team can use the information as well. For example, if a slowdown is detected in an area of the network, the operations team may discover that the root cause is a security event such as a DoS attack or a bandwidth-intensive worm.
Menezes says the architecture of the SIM solution can be a contributing factor to whether or not the SIM can be more widely deployed throughout the infrastructure. In his experience, agent-based solutions created "all sorts of political issues with whether the tool could be installed." Also, he found that the administrator uninstalled the agent if anything unexpected happened on the device. Agent-based solutions, on the other hand, may be preferred by companies that want a separate monitor agent on a server.
To make a SIM more valuable to the business, Cardona advises answering some questions up front: What is your core requirement? What is the main objective that you want to accomplish? What reports will you generate and give to the CIO and other stakeholders? And how can you make this information valuable to them? Armed with the knowledge of what information will be of value to the stakeholders, security administrators can customize the standard reports that come with a SIM for their own business needs.
Out of the box, a SIM delivers meaningful solutions that satisfy auditors, says Roedell at TruMark says. But to get business value from a SIM, he adds, "You have to spend time to tailor it to your business and your network. Risk mitigation strategies are only effective when they're implemented and managed by IT professionals that understand your business." In SIM parlance, that can mean identifying when a password policy has gone bad, finding the root cause of a CPU usage spike, or even justifying additional hardware resources because a critical server is overloaded.
Long-term, SIM alerts can be quantified into metrics-based assessments. Again, this is a fairly advanced use of the tools, but it is one that some end-users are exploring and a few are already adopting. At TruMark, using a SIM means "residual risk scores will be reduced," Roedell says To make that matter to the business he says , security experts will "have to do a better job showing what they're going to do and how these tools are going to reduce risk in a dollars and cents way." For another organization, repetitive alert suppression rules reduced redundancy so what was effectively a full-time job for three people was reduced to a part-time job for one.
For many, SIM is the Holy Grail for log aggregation compliance, but many are looking beyond compliance to business improvement. SIM can be "used as a foundation for making the organization more compliant while being leveraged in the long run for continuous improvement," Menezes says. Compliance is a starting point for SIM use but by reviewing the information captured by the SIM, companies can begin to make process improvements such as understanding which devices or areas of the network are more prone to malware attacks and then shoring up controls or fine-tuning a password policy to reduce help-desk calls, he says. Cardona echoes this view: "Start with compliance but tune the SIM in the long run to make it a tool for business enablement."
It's been an interesting decade for SIM. SIM has evolved from the confusion of the early days, through the toe-hold of log aggregation for compliance, to its current emerging usage as a risk and business tool. If you're using SIM for basic log aggregation and you're happy with it, that's great. If you think it can do more, you're right. Some of your peers are expanding usage for increased business intelligence and better risk awareness.
This was first published in June 2009