A new awareness for SIMs

Experts say the use of security information and event management systems can not only give organizations overall visibility into their network security and improve their incident response, but also meet compliance demands.

Organizations overwhelmed by a deluge of security data generated by their networks--and feeling the pressure of regulatory requirements--have turned to security information management (SIM) for relief.

SIM, also referred to as security event management (SEM) or a combination of the two (SIEM), automates the process of monitoring logs from firewalls, IDSes and other devices. SIM systems aggregate, correlate, analyze and store data to give organizations overall visibility into their network security and improve their incident response.

RSA Conference 2007

Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.
At the same time, SIMs can help satisfy auditors. Regulatory pressures--from Sarbanes-Oxley and HIPAA to individual industry requirements--make log management and visibility into user access of systems and applications critical.

In fact, compliance is making "identity awareness" an important feature for SIM technology, said Trent Henry, an analyst at the Burton Group.

"Past SIEM solutions were quite focused on perimeter infrastructure such as firewalls and IDSes, but with identity management a key component of internal controls, SIEM products are now looking more carefully at identity transactions," Henry said. "This can help organizations keep an eye on critical compliance-related controls, including SOX's requirement for appropriate segregation of duties."

A SIM appliance from Network Intelligence, which was acquired by EMC last September, helps the Independent Electricity System Operator (IESO) in Ontario, Canada, comply with industry security auditing requirements, said Dave Lewis, who heads security at the IESO. The technology demonstrates that IESO staffers are in fact reviewing the security logs.

"This gives us an audit trail," Lewis said. "We can see that they did review their logs and they're taking action on X, Y and Z."

For the Idaho State Tax Commission, SIM helps it to comply with Internal Revenue Service requirements and get a better handle on security events. The commission deployed a SIM appliance from High Tower Software that collects and correlates data from its vulnerability assessment, IDS and other systems, and boils down that information to "actionable items," said Glenn Haar, IT resource manager at the commission.

"Our goal was to get people to the point where they're not mechanics trying to keep the thing running but move them to where they're focusing on dealing with the security issues that are actually coming up," he said.

SIEM products are now looking more carefully at identity transactions. This can help organizations keep an eye on critical compliance-related controls.

Trent Henry
AnalystBurton Group
Likewise, a SIM system has streamlined network security monitoring at PPD, a global contract research firm serving pharmaceutical and other organizations. Before installing the Q1 Labs product, tracking virus outbreaks required reviewing individual firewall and other security logs. Now, the company has a central repository that makes it easier to track and analyze an outbreak, said Dave Daniels, PPD network security engineer.

At Hackley Hospital, a SIM system from TriGeo Network Security allowed network technicians to quickly track down the source of a virus that was preventing users from accessing the Internet.

"It puts a lot of things into one interface," said Andy Busard, information security analyst at the Michigan health-care provider. "It allows us to do things we weren't able to do before."

HIPAA compliance was the initial reason the hospital bought a SIM, Busard said. TriGeo is helping it show auditors that activities such as users logging in remotely are being tracked.

While SIM technology can help on a lot of fronts, it's not without its drawbacks. SIMs can be complex to manage.

"At the end of the day, all they do is report and store data and generate reports and analytics against that data," said Amrit Williams, a former Gartner analyst, now CTO at BigFix. "If you don't have a mechanism for responding to that data, then the cost associated with deploying these technologies can be high and offer limited value." Burton Group's Henry said the problem with a SIM system "becomes the amount of customization required to get the most out of the tool."

Jim Granger, technical director at the Navy Cyber Defense Operations Command, said SIM--like other technologies--requires an initial up-front investment in time and resources but that the payoff is worth it.

"SIMs force you to understand what your business processes are and what your networks look like, but that in itself is a good thing," he said.

<< Return to our special coverage of RSA Conference 2007

Dig deeper on Security Event Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close