Wanted: Single-console application to gather and make sense of security alerts from firewalls, intrusion-detection systems and other security devices across the enterprise. Must work across multiple networks, operating systems and applications and be able to tell which security threats pose the greatest risk to the business. Successful applicant must find and fix security problems before they cause serious damage, with minimum help from humans. Must grow over time to meet increasing workload and be backed by vendor with deep pockets to weather upcoming industry consolidation.
That tough job description pretty much sums up the emerging class of products called security event management. These applications collect data from various security systems such as firewalls, intrusion-detection systems and Web server logs, translate that data into a common format and then correlate, analyze and present the information coherently so that security managers can quickly respond to threats.
"The Holy Grail for all this is identifying an attack, insuring that it is legitimate and catching it before any significant damage is done," says Hurwitz Group Inc. Senior Security Analyst Pete Lindstrom. "That is a tall order, and no one to date has been able to do it," he says. As vendors "leapfrog" each other with announcements of new features and functions, says Lindstrom, "a lot of the differentiation winds up being in the user interface -- how easy it is to use."
One feature that customers need, but that vendors are only beginning to provide, is the ability to gather and analyze data from applications and operating systems as well as from networks, says Michael Rasmussen, director of security research at Giga Information Group Inc. Many vendors claim to offer this capability, he says, but fall down in execution. "Windows alone can have over a thousand different types of auditing events," he says, which a network-oriented event management tool might have trouble understanding.
Most current products can aggregate, or gather, event information and correlate it based on the source and destination of the suspected attack, says Lindstrom. Ideally, such tools could also evaluate the severity of a threat, taking into account how vulnerable the target system is to that specific attack. For example, such a tool would give a low priority to an attack known to target Microsoft's Internet Information Server if that attack was being run against an Apache Web server. Some vendors already allow security managers to identify IT assets so security managers can determine which threats are most dangerous to the business and respond accordingly.
Among the leading tools are:
ArcSight 1.0 from ArcSight (a subsidiary of Palo Alto, Calif.-based SVIC), which allows for the identification of servers or other assets to prioritize attacks based on their risk to the business, says Lindstrom.
GuardedNet, Inc.'s NeuSECURE has "some forensics tool kits that allow you to do more research on different types of events," says Lindstrom. NeuSECURE can also analyze the reliability of alerts coming from, for example, an intrusion-detection system, which reduces the time wasted on false positives, says Rasmussen, and provides the ability to link assess security risks based on their possible impact on the business.
Consul/eAudit 4.0 from CONSUL is "one of the few tools" that can gather and analyze information from operating systems and applications as well as from networks, says Rasmussen.
Netforensics' namesake product is based on a distributed architecture the vendor claims makes it easy to scale for different size environments and to efficiently distribute processing power for maximum throughput. It's among the market leaders in tools focused only on security event management, says Lindstrom.
e-Security, Inc.'s Open e-Security Platform, as well as GuardedNet's neuSECURE and ArcSight 1.0, boast workflow capabilities such as the ability to trigger an incident response process and even a trouble ticket in response to threats, says Rasmussen.
The Network Security Manager from Intellitactics Inc. includes an asset classification system which allows managers to prioritize assets (such as devices or networks) based on their importance to the business, as well as a graphical mapping system to help identify patterns of attacks.
IBM's Tivoli Systems unit is a "big player" in the field with its IBM Tivoli Risk Manager, says Rasmussen, but is used mostly by customers who are already running Tivoli's other system management software.
Other emerging players include PentaSafe Security Technologies, Inc. with its VigilEnt Enterprise Security Applications Symantec Corp., BMC Software Inc. and Computer Associates International Inc.
In choosing a tool, says Rasmussen, remember that the financial viability of the vendor is just as important as the technical specs. With a new vendor entering the space almost every week, he warns, "There's going to be some major consolidation."About the author
Robert L. Scheier writes frequently about security from Boylston, Ma. He can be reached at firstname.lastname@example.org.
This was first published in August 2002