Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Using security information management systems for a posture assessment

For more visibility into your security posture and smoother compliance, picture what a security information management system can do for you.

For more visibility into your security posture and smoother compliance, picture what a security information management system can do for you.

More information from

Learn more about SIMs in our webcast with Lenny Zeltser.

Visit our resource center for SIM product reviews.

Feeling overwhelmed by all the security data your network generates? What infosecurity chief isn't? It's hard to get a good security posture assessment when you've got to pore through countless logs from disparate sources and then make sense of it all.

That's why security information management (SIM) systems -- also referred to as security event management (SEM) -- have become increasingly popular. In a nutshell, these systems automate the process of looking through logs. They normalize and store data, correlate it, help produce effective reports, issue alerts, and do forensics. Once you establish what's important and what you want to achieve, a security information management system can make it happen.

And in this age of regulation, organizations need this added visibility into network, systems and application activity. Compliance is one of the biggest drivers of the SIM market. "A lot of auditors are coming in and saying you need to be able to log and monitor this data over a long period of time," said Amrit Williams, an analyst at Gartner.

But SIMs aren't simple. "They require a lot of care and feeding," said Andrew Braunberg, analyst with Current Analysis. First, there's the process of defining your needs. Then, businesses must determine the type of technology that best suits their environment. The work doesn't end there. On top of initial costs of $250,000 to $500,000, companies spend $45,000 to $175,000 annually to support a SIM, Williams said.

But when SIM technology is running effectively, it can tighten security, satisfy auditors and executives, and prevent a lot of headaches. Turn the page to see some snapshots of SIMs in action.

[snapshot #1]
pooling logs

Global vacation exchange network, Interval International, grew by leaps and bounds at the turn of the 21st century, more than doubling its staff to 2,000 employees and expanding its ecommerce operation. The result was a massively complex network with machines running a hodgepodge of operating systems and multiple security devices.

Sasan Hamidi's words of wisdom:
Get support for heterogeneous environments

Focus on audit benefits to win funding

Involve others in IT in project research

With such a complicated network, the company needed an automated system for security event monitoring, said Sasan Hamidi, CISO at Miami-based Interval, whose specialty is time-share exchanges. With just two full-time infosecurity staffers and a handful of part-timers, manual monitoring wasn't feasible.

Also, since Interval no longer was a small, private company but now part of a large public company (IAC/Inter-ActiveCorp acquired it in September 2002), it needed to comply with regulations like Sarbanes-Oxley. That made automated log management essential for auditing purposes. Because it can be tough to sell security projects to upper management, Hamidi focused on the audit benefits of SIM technology to win funding. He calculated the money Interval spent hiring contractors to help prepare for internal auditors by sifting through logs and creating procedures and reports.

"We realized that even without any additional resources to manage a SIM environment, we would be far better off spending money for the SIM than without it," he said.

The company reviewed three vendors and chose netForensics for several reasons. The vendor's nFX Open Security Platform supported nearly every type of product in Interval's heterogeneous environment. Plus, netForensics was willing to work with Interval on developing agents for products it did not support.

While another vendor promised an agentless technology, Hamidi says he wasn't confident that was the right approach.

"My philosophy was it didn't really matter whether we used agents or not. Our biggest concern was getting a comprehensive deployment in terms of log management and security event management for all our devices," he said.

Those systems include Novell, Unix, Windows and Solaris servers, an AS/400, Cisco routers and host-based IDS, Juniper and Check Point firewalls, and Sourcefire network-based IDS.

SIM shopping list
Before buying a SIM, here are six questions you should consider:

How does the system collect and store data?

How are business rules expressed?

Does the SIM allow active response?

What are its forensic capabilities?

Can the SIM support your data retention requirements?

Does it generate useful reports?

--Joel Snyder

The SIM's reporting capabilities allow Hamidi's team to easily provide audit trails for the controls they've created. For example, they can pull weekly reports of who logged on to critical Solaris servers and review them for any discrepancies.

"Previously, it was pretty painful. We had to have someone go through...and check manually all the server logs or go to our log server and do a search by host name," Hamidi said.

The SIM has also allowed Interval to quickly detect a few infected PCs contractors brought into the network.

However, managing the technology can be a challenge, including sorting out false positives, Hamidi says. Techni-cians from the company's enterprise operations center help out a full-time staffer who stays on top of the alerts. Still, without the SIM it would take four or five times as many resources to accomplish the needed security management, he added.

Hamidi is pleased with the project but if he had to do it again, he would involve more of the IT group in the research phase. The security team had to rely on other IT staffers to implement the technology, folks who didn't fully understand how the SIM would help the business.

"I would bring these guys in and make them part of the research, have them participate more so I could do a better selling job on getting their buy-in," he said.

[snapshot #2]
second SIM gets it right

After preliminary Sarbanes-Oxley and SAS 70 audits toward the end of 2004, the security team at T. Rowe Price was under the gun. Internal findings showed that the investment-management firm could receive bad marks because it didn't have a system for managing security event logs.

David Maas' words of wisdom:
Weigh appliance versus software-based solution

Hire full-time engineer to maintain system

Consider storage requirements

With just 60 days to get a system in place, David Maas, senior network security engineer, and his staff quickly researched SIM products, and narrowed their list to four. There was no time to test each one, so they chose a vendor that promised an easy-to-use appliance. While it worked well enough to get over the audit hurdle, the appliance didn't live up to the hype, and was difficult to set up and manage.

Fed up after struggling for a year with the device, T. Rowe Price decided to start fresh with ArcSight. The company initially deployed the software-based solution so it collected logs from primary security devices such as Check Point firewalls and Blue Coat proxies, and gradually fed more systems into it, including Cisco routers, Windows boxes and Juniper firewalls.

"We're doing it in chunks," Maas said. "We're still learning. It is a system that's fairly demanding."

Baltimore-based T. Rowe Price added an engineer to its four-member network security team to work on the ArcSight system full time, running reports, tuning the agents, and resolving any issues that crop up.

Despite the learning curve, the SIM is helping on both the audit and security fronts. An administrator can run monthly, weekly or daily reports on nearly any data collected. One example: A report detailing how many user accounts were deleted in a week, something Maas said auditors want.

The reports provide auditors and high-level managers with a nice visual of what's happening in the environment, Maas said. "We never had that before."

By collecting security events from multiple devices into a central location, the SIM allows T. Rowe Price to correlate events and trigger alerts. It also helps the security team with forensics work, such as tracking down workstation infections.

"It allows us to do a lot of forensic analysis...all in one location versus having to visit the desktop, the server or the proxy logs manually," Maas said. "It definitely saves us a lot of time."

The system also makes firewall maintenance easier. Engineers can see what firewall rules are being used; if one hasn't been used in a long time, they can remove it. That improves firewall performance and also allows the company to prove it has audited its internal security devices, Maas said.

T. Rowe Price's ArcSight deployment consists of four boxes: one running ArcSight Manager, one running an Oracle database with a locally attached storage array, and two Windows-based servers where agents are deployed to pull event data from systems. There also are some agents that run directly on individual systems. For the Blue Coat devices, logs are collected via FTP.

Having a security engineer from ArcSight helped to make the deployment successful and saved time, but Maas quickly realized that a terabyte of storage wasn't enough. That required some project redesign.

Over time, T. Rowe Price plans to expand the SIM so it collects data from more devices, such as its IBM Tivoli Access Manager.

That expansion may mean adding more staff, Maas noted. However, he expects that once the company implements more correlation rules into the SIM to trigger alerts, staff will do even less log monitoring.

[snapshot #3]
alert and analyze

In charge of monitoring U.S. Navy computer networks, operators at the Navy Cyber Defense Operations Command (NCDOC) had their hands full, especially as more sensors were added to detect possible attacks. Additional networks and sensors produced a crush of data.

Jim Granger's words of wisdom:
Rely on interactive development process

Use data warehouse for long-term analysis

Deploy flexible architecture

"That was far outstripping the ability of people to handle it manually," says Jim Granger, NCDOC technical director.

The organization decided it needed a system to manage all that security event data, and settled on a software solution from e-Security combined with a SAS data warehouse on the back end. (Novell acquired e-Security in April 2006.)

"e-Security provides our near real-time front end and can take a variety of disparate data sources and provide immediately actionable alerts to our watch commanders. ...Then we roll that data off of e-Security into our SAS data warehouse back end for long-term trend analysis," Granger says.

The deployment initially started as a pilot project, dubbed Mobius, and has grown into a full-fledged system now called Prometheus. The e-Security piece collects event data primarily from IPSes along with some firewalls and routers, but NCDOC plans to feed into it more devices, such as a vulnerability assessment scanner and host-based security systems.

With a 150-terabyte SAN, Prometheus allows NCDOC to analyze an immense volume of data to warn about possible cyberattacks, including "low and slow" probing, Granger says.

While the tool has proven powerful, he credits the sailors and civilians using it for making it a success. NCDOC operators worked closely with engineers from e-Security and SAS to develop an effective system.

Integrating e-Security more closely with its incident tracking system was essential, Granger says: "A lot of early SIM technology was about, 'We'll plug 70 sensors into one screen.' You need to be able to track the status of a long-term incident, the feedback...and store and catalog this data so it's accessible months or years later."

[snapshot #4]
a reliable utility

With some 12 million residents of Ontario, Canada relying on it for power, the Independent Electricity System Operator (IESO) has a critical need for network security.

David Lewis' words of wisdom:
Avoid "agent bloat"

Consider ease of an appliance

Buy more storage

The importance of keeping on top of security threats was one reason the organization wanted an automated system that would collect, analyze and report the events produced by its network security devices. Another driver was the proposed security auditing requirements of the North American Electric Reliability Council (NERC).

"Auditors have this simple phrase: 'If it's not written down, it didn't happen,'" said David Lewis, who goes by the unofficial title of "security curmudgeon" at the nonprofit IESO.

So Lewis--who has a background in archeology and a habit of "researching things to death"--began digging into whatever he could find about SIMs.

From a list of 13 vendors, he and his security team quickly ruled out a couple as too expensive. Then they reviewed product features and ultimately chose Network Intelligence's enVision appliance.

"It came down to price, usability, and ease of installation," Lewis said.

The agentless nature of the product was an important factor, he notes. "One of the things that systems suffer from these days--brutally so--is agent bloat. You'll have agents for rolling out patches, for intrusion detection, firewall agents. I finally said, 'Enough!'"

Less critical, but still important, was using an appliance. Another vendor offered a solution at a similar price but it was software-based, so IESO would also need to buy hardware, adding to the cost.

"It just didn't seem practical," Lewis said. "I like the ability to just drop in an appliance and be done."

In fact, he was surprised at how quickly his team was able to deploy the device. And with a Web-based front end, IESO staff can easily manage the appliance from virtually anywhere.

Several other SIM products required a lot of "care and feeding," Lewis said: "You'd have to dedicate a couple of resources full time just to take care of the beast...maintaining the agents, the system...configuration."

With the SIM in place, IESO now has a way to meet NERC auditing requirements for its security infrastructure. "We're able to demonstrate that we're collecting logs and they're being reviewed." Staff can also show remediation action taken.

The technology, which collects and correlates IDS, firewall, server, and other data, also provides security alerts in as near real-time as possible, Lewis says. The enVision dashboard allows the network operations staff to see at a glance if something is going wrong and respond.

Previously, the organization used a syslog server to collect event logs, a process that Lewis says is best described as "agonizing," especially with what he calls a noisy network that generates a lot of security events.

Basically, the SIM "is making life a lot easier for all of us," Lewis said.

Network Intelligence's pre-built reports allow IESO to generate a variety of reports. For example, a report on firewall alerts allowed the organization to spot a firewall rule change that should not have been made.

The lone regret Lewis has about IESO's SIMs implementation is not buying more storage from the start, primarily for compliance purposes. He has enough to last until 2012, but still plans to invest in additional capacity.


SIM & storage

Determining how much storage you'll need before buying a SIM depends on several factors. Two key ones are how many devices will be reporting into the SIM, and your company's data retention policies.

Agent vs. agentless approaches
by Joel Snyder

Although Windows has a common logging system for applications, getting log entries to a SIM isn't a natural operation. To export log information, you need to either give the SIM sufficient credentials to pull the logs using existing Windows APIs, or add an agent that pushes logs off the Windows systems to the SIM.

For some network managers, the "pull" method -- often called agentless -- has a huge benefit that overrides any defect: you don't have to install software on the system from which you want to gather logs. However, with pull strategies, log information is generally limited to the Windows Event Log. Moreover, giving the SIM sufficient credentials to gather logs can be disconcerting.

With an agent you install, the SIM is up-to-date and--depending on the smarts in the agent--may have access to a greater variety of performance and security information than just the Event Log. Some vendors write their own agents while others have chosen to use syslog as the protocol of choice, suggesting an agent that simply translates Windows Event Log entries to syslog events.

Joel Snyder is senior partner at consultancy Opus One and a technical editor of Information Security.

ArcSight found that in many cases, customers underestimated their storage requirements because they ultimately wanted a lot more devices feeding data into the SIM than they originally planned, said Steve Sommer, senior vice president of marketing and business development.

Storage requirements also vary depending on how many days, weeks or months a company wants to retain data, and what they plan to keep.

"Do they want to collect every single event and log, or do some filtering of data that isn't relevant for compliance or security?" Sommer asked. "That can affect the storage by several factors."

Sunil Rath, director of systems engineering at netForensics, estimates that a 500 MB hard drive disk can store roughly 1 million security events. He agreed, however, that storage requirements depend on the client's retention policy and device message volume.

The National Institute of Standards and Technology (NIST) recently released guidance for computer security log management--Draft Special Publication 800-92--which Sommer says should help the industry. The document includes guidelines on managing long-term data storage.

Article 1 of 19

Dig Deeper on SIEM, log management and big data security analytics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All