Since then, SIM vendors have been hard at work tuning and improving their products and the picture is becoming clearer. Some of the directions are inevitable and obvious: better storage techniques for more information, faster CPUs to cope with higher loads, and tweaks to reporting and archiving to deal with specific compliance requirements. Other innovations and developments show a maturity of the marketplace and products responding...
to the needs of security managers.
We identified six new directions in SIM technology, ranging from a greater emphasis on visualization tools to stronger active response techniques. This broadening of SIM capabilities will help to differentiate a fairly crowded market and bring greater capabilities to security managers sorely in need of a sharper view of their overall security posture.
|What's a SIM?|
The technology goes by a lot of names, but has six basic functions.
Call it what you will: Security Information Management, Security Event Management, or some combination of letters, the difference between SIM, SEM, SEIM and ESM is marketing. Security Information Managers (SIMs) accept security and networking information from multiple sources within the enterprise and analyze it to provide a higher level of understanding.
While products differ in their capabilities, packaging and target users, all SIMs share a common base of six functions. First, SIMs must gather information from devices and systems, typically IDS and IPS events, firewall logs, flow data from routers, results from vulnerability analyzers, Web server logs, and often also Windows log information. The abundance of data from security devices is what gives SIMs the "S" in their acronym, but many SIMs have capabilities that are just as useful to network, server and desktop management teams.
Second, SIMs normalize and store the information they get. Normalizing is the conversion of vendor-specific log formats into a common representation so that key fields, such as IP addresses or times, can be compared. Most SIMs also have a log storage component, acting as a data repository for 30 days to 30 years worth of log files.
Third, SIMs correlate, summarize and analyze log data. This is the strongest area of differentiation between SIMs, as products use a wide variety of techniques to try to take an overwhelming amount of information and boil it down into useful information for the security and network manager.
Fourth, SIMs have a variety of alerting and active response techniques. Again, products differentiate themselves strongly in this function, but the idea in all SIMs is to send alerts on important time-critical information, or in some cases even take some sort of remediation step automatically.
The fifth and sixth functions common to all SIMs are reporting and forensics. Reporting is more of a long-term look at information, such as levels of alerts, traffic statistics, or summaries of different logging information. Forensics is an active tool that a security manager can use to navigate stored log files and research security or network issues.
Better Support for Mid-Market
In our 2004 test, SIMs were squarely focused on the enterprise. Top-rated products typically came with $100,000 or larger price tags and required weeks of consulting to gain full integration. Now the SIM market has products at every price point and designed for almost every size business.
At the low end of the cost scale--free--is Open Source Security Information Management (OSSIM), an amalgamation of open source tools and OSSIM-specific pieces for normalization and consolidation. Delivered as individual components or as a VMware image with everything pre-installed, OSSIM sets a high bar with its capabilities and makes SIM affordable for any business willing to commit the time to installation and customization.
On the commercial front, vendors have pushed hard into the market with other mid-range products. However, creating products for the mid-market isn't just a matter of lower pricing; the needs and requirements of mid-sized businesses differ considerably from those of large enterprises. High Tower Software, eIQnetworks and TriGeo Network Security, for example, specifically size their products for a mid-sized enterprise where the full-time IT staff may be a handful of people--or even a single person in some cases--taking care of everything from firewalls to desktops.
High-end vendors have also been eager to move into a broader swath of the market. For instance, ArcSight, long considered the most enterprise-focused SIM vendor, released products designed to meet the more modest needs of smaller businesses.
A related offering to SIMs, log management, has also seen growth in the past few years. While log management may apply to all levels of enterprises, simple log management tools can provide a great deal of SIM functionality in the mid-range market (See A Fine Line).
|A Fine Line|
It isn't always easy to tell the difference between log managers and SIMs.
Depending on the data your network is generating and what you want to do with it, a full-blown SIM may be overkill. Closely related to SIMs are log managers. In fact, they're so closely related that many SIM vendors sell a slightly stripped-down version of their SIM as a log management tool, pulling out correlation and summarization features and beefing up storage.
Log management products include freeware tools such as Unix's SYSLOG daemon, low-cost SYSLOG-focused products such as Kiwi Enterprises' Syslog Daemon, and more advanced tools like software from Splunk and appliances from LogLogic.
Distinguishing SIMs from log managers is difficult, and will become more difficult, since log managers fulfill many functions of SIMs and vice versa. Log management vendors are already starting to step on the toes of SIM vendors as they add capabilities to their product lines. In some cases, SIMs require a separate log management system because they don't store more than a few weeks worth of data.
Fundamentally, log managers emphasize long-term storage and searching of log data, while SIMs focus more on correlating log data and providing summary information. However, a product design goal may dictate a particular set of features and certainly is making the line between log management and SIM very fuzzy.
Broader Sources of Information
SIMs traditionally started with IDS alerts as their main drivers of information, mostly because network managers saw room for improvement in their IDS management consoles. Every SIM still is expected to deal with IDS information--and some do little more than that, adhering very strictly to the idea of the IDS as the main driver of security information. We found, though, that a number of SIMs are reaching far beyond IDSes to other sources of security information within the enterprise.
Two factors are driving this trend. Compliance pressure is one. For example, regulations such as Sarbanes-Oxley requires that security events be captured and audited according to strict process controls, while HIPAA requires that suspicious behaviors and security breaches be identified and researched. Bringing in a SIM as a compliance toolkit can ease the burden of complying with these requirements, but you get much more bang for your buck if you can throw many different types of log information into the SIM. SenSage, for instance, has focused on adding in not just IDS and firewall logs, but logs from ERP applications, database servers, and popular vertical market tools such as Cerner's Health Care IT applications. ArcSight has followed the same path, with a toolkit and market awareness campaign designed around insider threats that a SIM can help catch.
The second source of pressure comes from the Windows world, where an increasing integration of network, security and Windows responsibilities has made a SIM an obvious place to bring together all three types of log and alerting information. NetIQ Security Manager, for instance, can not only capture information from Windows systems but also take direct remediation actions, such as stopping an unauthorized application. NetIQ has had Windows strength for years, but eIQnetworks and TriGeo also trumpet their Windows-specific capabilities and functionality.
More Precise Active Threat Response
Active threat response is a dangerous way to deal with security alert information. When active response is in play, the SIM actively modifies the behavior of the network in response to some identified security threat. The experience of managers who have been burned by this technology has led many to shy away from the idea of a robot wandering about their network, shutting off switch ports and adding rules to firewalls. But this hasn't kept vendors from developing active response toolkits.
One of the early entrants in the advanced toolkit space was Cisco with its Security Monitoring, Analy-sis and Response System (MARS) appliance. Rather than assume that all networks have a single firewall at the edge where all active responses go, MARS learns network topology and uses that information to focus any remediation as close to the source of the problem as possible.
Cisco had been the only vendor offering active response capabilities, with MARS, but now other vendors also provide the technology with their SIMs. ArcSight released Threat Response Manager, based on technology it acquired from ENIRA Technologies in 2006. The idea behind Threat Response Manager is that network configuration information, gathered from existing devices, is the most effective source of knowledge about network topology. Using configuration information and its own expert system, Threat Response Manager is designed to determine the most effective and least disruptive way to remediate a threat. However, threat remediation can cause a self-inflicted denial of service (DoS)--a problem ArcSight is quick to acknowledge. Executives at the company said one of the key goals for Threat Response Manager is giving security and network management staff the tools to follow written procedures--in effect, to respond to threats based on policy rather than by shooting from the hip.
Threat response isn't just a high-end feature; TriGeo has been touting its security policy compliance capabilities very heavily in a Windows-centric way. Not content to remediate threats using only network devices, TriGeo's remediation tools include a Windows agent that can start and stop processes, block different types of network connections, and enforce policies on USB peripherals.
Incorporating and Feeding External Data Sources
Although SIMs are focused on security events originating inside the enterprise, external databases such as reputation services increasingly are being added to SIM correlation and analysis engines.
SIMs have always had a strong dependence on some kinds of external data. In normalizing logs and correlating system vulnerabilities with IDS alerts, SIMs need fairly hefty externally created databases. Early innovators in this space such as Tenable Net-work Security have focused on bringing together a wide world of IDS vendors and an equally wide array of vulnerability analysis tools.
Finding an IDS-and-vulnerability correlation tool is no longer unusual in the SIM marketplace--although it was in 2004. However, this kind of external data feed is just a starting point for how SIM vendors are looking to make their own correlation engines and threat prediction technology smarter.
Symantec took a step forward by leveraging its massive IP reputation service and malicious URL databases into its own Security Information Manager appliance. In an area where vendors such as Cisco and Secure Computing (through their respective IronPort Systems and CipherTrust acquisitions) have strong reputation services--but no strong presence in the SIM marketplace--Symantec is in a perfect position to bring together both a strong SIM product and massively valuable information about where the bad guys are and where malware is being stored.
While external reputation services won't help in areas such as insider threat mitigation, they help to round out the capabilities of SIMs and can bring zero-day threat protection by correlating known problem locations on the Internet with internal activity changes.
SIMs are also being offered as an automated data feed to other network security devices. For example, Q1 Labs' QRadar (a combination SIM and network anomaly detection tool) has been integrated into the Trusted Computing Group's Trusted Network Connect (TCG/TNC) Network Access Control (NAC) framework. This means that security misbehavior detected by QRadar can be polled by the NAC policy engine and used when deciding to allow or deny access to the network. As NAC pushes further into enterprises, SIMs can be an ideal check-and-balance for NAC policy to identify devices that have become malware-infected or users who are engaging in non-compliant behavior. In fact, TCG/TNC's not-so-secret IF-MAP protocol, aimed for release later this year, will help standardize the relationship between NAC and tools such as SIMs and IDSes.
Stronger Rule Technology
The heart of most SIMs is a set of business rules that help tune the correlation engine and identify what log data, events and security problems are worthy of alerts or active responses. In our 2004 testing, we found that most products had a small set of rules that were inadequate starting points.
In that test, SIM vendor OpenService stood apart with a rule-free approach to correlation, and hasn't changed its approach. No one else has entered that lonely niche. The opposite seems to be true; SIM vendors, particularly those supplying mid-range appliances, have responded with much stronger business rules out-of-the-box aimed at speeding deployment and sharing the considerable expertise they've gained in what works in a SIM.
For example, High Tower ships its SEM appliance with a set of 65 "mega-rules" that catch everything from unauthorized MySpace.com visits to successful brute-force logins.
Vendors also are enhancing their tools for building rules. TriGeo, which ships its SIM with more than 500 starting point rules, has an elegant rule definition tool that actively encourages the security manager to creatively add protections and alerts within the SIM, rather than making definition of rules an onerous task. Although TriGeo outwardly aims at networks of 100 to 150 devices, the business rule features in its SIM are so well designed that they put to shame this aspect of many other SIMs.
Innovative Analytics Tools
As multifunction systems, SIMs can help compliance officers, network managers and security analysts. However, while their traditional Web-based tools work well in the world of reporting, they may be limiting for a security analyst who wants to navigate and understand what the SIM has to say.
Particularly in areas where a SIM is tasked as an "IDS superconsole," additional visual analytics tools can be very helpful. This was evident in 2004 when testing High Tower's visualization tool. But visualizing security information is a difficult job to do well; High Tower put aside its visualization technology and chose instead to focus on correlation and analytics tools.
Sourcefire's Defense Center, a mini-SIM limited to intrusion detection and network discovery based on Sourcefire's own products, comes with a visualization tool that shows promise. Further along is NitroSecurity's advanced SIM console for security event visualization and analytics. Although Nitro-Security's console has limited usefulness when looking at non-IDS data, it's an outstanding example of what can be done with advanced GUI toolkits. NitroSecurity uses Flash for its snazzy visualizations, which allow the security analyst to easily navigate through streams of IDS alerts, summarize events and drill down into items of interest.
Security information has become critical to safe and reliable networking, so security managers can no longer afford piecemeal solutions to analyzing and integrating the fire hose of information. As the world of SIMs fills out to low-end and mid-range products, we are seeing significant innovation and welcome enhancements at all levels.
Far from the expensive and clumsy tools of the past, SIMs now deserve a place in every enterprise network.
Dig deeper on Security Event Management