Since the late 1980s, corporations have invested heavily in network and information systems technology to create network-based applications that can be used by employees, partners and clients regardless of their physical location.
The goal was to provide distributed applications and reliable communications so that business critical applications were accessible anywhere at anytime. The Internet explosion of the 1990s extended corporate and organizational networks from the campus backbone all the way to cyber cafés from Newark to Manila. Everything IT was migrating to a virtual and client-server existence at breakneck speed.
Following the rush to become connected, corporations are now attempting to cope with the human consequences of connectivity. All things human are now being played out at the speed of electronic communications on the Internet, and unfortunately on the corporate enterprise network as well.
Theft, deceit, intimidation and vandalism now all have their counterparts in the virtual world of networks and information systems. Corporate espionage, email viruses, web site defacements, harassment via electronic messaging and 'inappropriate use' are real issues that the information security manager is dealing with in one form or another. As more and more people are granted access to information systems and the information they contain, the basic premise of controlling information access has become only one part of the information security function. Information security has evolved from protecting information to tracking information as it flows across larger and larger communications networks.
Following closely on the heels of network technology and distributed software architecture, and heralding solutions to information security problems, the network security device industry was born. Firewalls, virus detection software, intrusion detection systems (IDSes), distributed authentication systems, virtual private networks (VPNs) were all developed, marketed and sold to solve specific problems. Each type of device competed against similar devices in an isolated market. As each market matured, individual device classes became more complicated. As each IT organization addressed problems with the deployment of security technology, their network in turn became more complicated.
Taken collectively, the security infrastructure is currently a collection of disparate systems that are only loosely integrated. This collection of systems is in turn superimposed over the network topology, making network operations more complicated.
As any information security professional will tell you, protecting information is inherently different to protecting physical things. Information systems on the network receive, store, process and transmit information on the network. The result of widespread information sharing is that we are now coming to terms with the idea that we cannot secure information by securing a subset of the systems that the information passes through. The individual security devices that we have to secure information cannot alone guarantee or assure us that information is secure. Information is only secure when you know where it is, where it has been and where it will be at any and all times. That is a very tall order indeed. But all is not lost.
The collection of security systems that make up the security infrastructure each provide a piece of the "information security puzzle." What is lacking is the ability to aggregate and correlate the information from the security infrastructure to provide assurance that information is secure. A firewall can tell us when a connection is accepted or rejected. But it cannot tell us much about the information coming into and out of our network. An IDS can tell us that an exploit is in progress, but it cannot tell us very much about the attacker.
When we combine the operational messages from the network and security infrastructure (e.g., firewalls, host IDS, network IDS, routers, switches, and authentication servers) we can paint a more detailed picture of any packet or connection that is occurring in the enterprise.
This approach is not new. It can be seen in the procedures employed by security investigators when attempting to determine what happened during a security incident. The typical emergency response team will acquire and correlate information from as many of these sources as possible. If the goal of information security is knowing what is happening now, then in a sense, real-time security incident response is fundamental to securing the entire enterprise.
By aggregating, normalizing and analyzing information from all security and security-related components of the network, a security infrastructure management system can provide network-wide intelligence on the information traversing the network in real time. This is much more effective than depending on alarms from security devices that perform specific functions on the network in isolation.
The key problem with aggregating and correlating large quantities of messages and alarms is presenting the acquired intelligence in a useful and effective manner. Operational consoles for network and security devices have typically relied on the scrolling text format for operational message presentation. Once the number of messages exceeds a certain quantity, a human operator cannot acknowledge or prioritize individual messages in the stream.
An optimal security infrastructure management system will aggregate, normalize and correlate the aggregate operational message stream and then present the results graphically. The operator will be able to easily discern which alert conditions from which systems have resulted in an alarm condition, without having to process text information from all the messages involved. With the set of devices reporting alarms identified, all relevant messages from the security and network infrastructure will be automatically queued for reference and processing by real-time and operator-initiated analysis software. By navigating a graphical display, the operator is able to easily drill down and acquire specific information rapidly without sorting or filtering through raw data laboriously obtained from multiple systems.
As information systems continue to be deployed on the network, and network connectivity continues to expand on a global scale, the difficulties involved with securing information will only increase. Point solutions to individual facets of the information security problem will continue to improve how they do what they do best. But point solutions cannot and will not in isolation provide the answer to the question "who sent what information where and when."
Executives and managers in information technology are under increasing pressure to provide information security in the dynamic and expanding network application environment. The information security problems concerning information flow on the network will only be addressed by integrating the various point solutions into a comprehensive, security infrastructure management system. The days when a firewall and IDS deployed on the network perimeter were sufficient are rapidly receding into the past as old human problems take new forms in the Internet age.
Malcolm Rieke is a CISSP and chief security analyst at High Tower Software, Inc. (www.hightowersecurity.com) a provider of real-time security intelligence applications for large enterprises based in California.