This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
Incorporating and Feeding External Data Sources
Although SIMs are focused on security events originating inside the enterprise, external databases such as reputation services increasingly are being added to SIM correlation and analysis engines.
SIMs have always had a strong dependence on some kinds of external data. In normalizing logs and correlating system vulnerabilities with IDS alerts, SIMs need fairly hefty externally created databases. Early innovators in this space such as Tenable Net-work Security have focused on bringing together a wide world of IDS vendors and an equally wide array of vulnerability analysis tools.
Finding an IDS-and-vulnerability correlation tool is no longer unusual in the SIM marketplace--although it was in 2004. However, this kind of external data feed is just a starting point for how SIM vendors are looking to make their own correlation engines and threat prediction technology smarter.
Symantec took a step forward by leveraging its massive IP reputation service and malicious URL databases into its own Security Information Manager appliance. In an area where vendors such as Cisco and Secure Computing (through their respective IronPort Systems and CipherTrust acquisitions) have strong reputation services--but no strong presence in the SIM marketplace--Symantec is in a perfect position to bring together both a strong SIM product and massively valuable information about where the bad guys are and where malware
While external reputation services won't help in areas such as insider threat mitigation, they help to round out the capabilities of SIMs and can bring zero-day threat protection by correlating known problem locations on the Internet with internal activity changes.
SIMs are also being offered as an automated data feed to other network security devices. For example, Q1 Labs' QRadar (a combination SIM and network anomaly detection tool) has been integrated into the Trusted Computing Group's Trusted Network Connect (TCG/TNC) Network Access Control (NAC) framework. This means that security misbehavior detected by QRadar can be polled by the NAC policy engine and used when deciding to allow or deny access to the network. As NAC pushes further into enterprises, SIMs can be an ideal check-and-balance for NAC policy to identify devices that have become malware-infected or users who are engaging in non-compliant behavior. In fact, TCG/TNC's not-so-secret IF-MAP protocol, aimed for release later this year, will help standardize the relationship between NAC and tools such as SIMs and IDSes.
This was first published in June 2007