Whether you have a SOX problem or a HIPAA ailment, it is becoming more tempting to enlist a SIM. But beware what you're buying into. Vendors are heavily hyping their security incident management (SIM) wares as the cure-all for meeting regulatory compliance standards such as the Sarbanes-Oxley (SOX) and Health Insurance Portability and Accountability Acts (HIPAA). If anything, they're half right.
Yes, the increasingly large number of SIM solutions (or security information and/or event management, so the abbreviation could be SIEM or SEM) can help beleaguered enterprises comply with these and other regulatory acts.
By aggregating and correlating the virtually unlimited data collected by perimeter security devices, such as firewalls and intrusion detection/protection systems (IDS/IPS), they give IT admins valuable tools for mitigating the financial or technological impact of breaches such as worms, trojans, and DoS attacks.
But they are not a compliance panacea, no matter what vendors claim.
"HIPAA has driven health care organizations to look at security in general," admits Rick Casteel, vice president of MIS for Upper Chesapeake Health, a non-profit foundation that operates two hospitals in Harford County, Maryland.
Casteel uses TriGeo's Security Information Manager SIM appliance to monitor security incidents – and help comply with HIPAA regulation – on his network of about 750 nodes, which includes 40 servers and a Check Point firewall.
"[But] there's nothing in HIPAA that's a rubber stamp for companies – an organization determines what HIPAA compliance equates to," he explains. "It's more an umbrella, and a SIM product can give you information to help meet compliance, but nothing in HIPAA prescribes certain reports every week."
Yet, that's what several SIM vendors claim their products can provide. For instance, Anton Chuvakin, a security strategist for SIM software developer NetForensics, says the company's NSX software "comes with a set of reports tied to certain regulatory issues, such as HIPAA and the Gramm-Leach-Bliley Act – unique reports – that offer solutions for compliance professionals." ArcSight and Network Intelligence, among others, also boast of similar capabilities.
Diana Kelley, a senior analyst with the Burton Group, chides vendors for these sorts of claims. "I'm surprised at the myth of 'SOX in a box,'" she says.
"Enterprise vendors say they have these templates, and all of a sudden you have reporting and compliance," says Kelley. "But there's no such thing as buying a 'SOX in a box' and, like magic, you're compliant."
Such is the frenzy surrounding this niche, however, one of the fastest-growing IT markets. Here's a run-down of some of the trends impacting the SIM (or, as noted, SIEM/SEM) area.
SIM shows strong growth
The Yankee Group, a Boston-based market research firm, tabs the security event management market at about $330 million this year, projecting it will grow to $800 million by 2008.
While that is a small portion of the $12.9 billion enterprises will spend on security products this year, its 30 percent annualized growth is one of the key factors in the security market's robust six percent expansion, according to George Hamilton, a senior analyst at Yankee.
Indeed, the push by enterprises attempting to get into compliance with a wide range of regulations specific to their industry or financial status is the driving force behind the SIM market. These regulations include SOX, HIPAA, the Gramm-Leach-Bliley consumer privacy act, and Visa's Payment Card Industry standard.
It is a market that has attracted both big and startup players. The list includes the usual enterprise suspects such as Cisco, Computer Associates, IBM and Symantec. Players targeting just this niche include ArcSight, Consul, Dorian Software, e-Security, LogLogic, NetIQ, GuardedNet/Micromuse, Intellitactics, High Tower Software, OpenService, NetForensics, Sensage, TriGeo and ScriptLogic.
The enterprise software systems from the IBMs and ArcSights of this world will also cost big. An entry-level system from Intellitactics, for instance, begins at about $75,000, according to Ron Hardy, the company's chief strategy officer.
So it's not surprising that two other SIM options have popped up, both more moderately priced.
On one hand are the appliance-based units from the likes of NetIQ, Cisco, Network Intelligence, TriGeo, Symantec, and others. These cost anywhere from $15,000 or so up to $75,000, depending on configuration, size of network covered, and so on.
There's also a burgeoning market for SIM capabilities delivered via the application service provider (ASP) model.
How SIM really works
No matter how it is delivered, a SIM product is at its core a log-file aggregator. It collects information stored in the log files of systems – firewalls, IDS/IPS, operating systems, and applications – and aggregates it in a central location.
From that point, SIM products offer a wealth of capabilities, all focused around their ability to analyze possible security breaches, correlate information from the various devices, and then send alerts when necessary to authorized personnel for possible remediation. Obviously, each vendor promotes its own specific abilities, some targeted to the enterprise, others to just parts of an infrastructure.
ScriptLogic's Active Administrator and Dorian Software's Event Achiver software, as two examples, are niche products that track changes made to Microsoft Windows' Active Directory user-profile service. Active Administrator is ideal for monitoring the dozens of changes that can impact user profiles within a Windows domain, says Eddie Sparpaglione, director of information systems for Sussex County, Delaware, who has used ScriptLogic for about a year.
He deployed ScriptLogic after a user who had admin rights mistakenly made changes to a group profile, locking everyone in that group out of their systems. Active Administrator eliminates the "hard part" of centralizing log files from his four Active Server domains, he says, and allows him to see consolidated reports on types of changes and who makes them, both critical to security.
Other products on the market offer similar targeted capabilities. For example, Ashesh Kamdar, group product manager for Symantec's security incident/event management solutions, says its Security Information Manager appliance includes the company's Deepsight Management service, which alerts customers when new security treats appear on the internet.
Chuvakin cites NetForensics' NSX's as "multi-platform support, scalability and unique correlation methods." Steve Sommer, senior VP of marketing and business development at ArcSight, cites the company's TruThreat Risk Correlation Engine's support for the widest range of third-party (IDS, firewall etc.) systems.
Neighbors that don't get on
What you will not hear from vendors is much talk about interoperability between their SIM products. It does not exist, and don't hold your breath waiting for it.
Vendors all refer to their ability to interoperate with endpoint security devices such as IDSs and firewalls and even helpdesk or network management systems such as those from Remedy and Hewlett-Packard. Many of them support SNMP (simple network management protocol). But none offer easy ways to port information from their SIM products to another vendor's software.
Blame it on market immaturity and lack of customer demand, say vendor reps.
"Customers aren't clamoring for interoperability," says Reed Harrison, chief technology officer at e-Security.
"They're just not calling for a standard messaging structure for security products today."
Eventually, the SIM market players will segment themselves into two camps, believes Dario Zamarian, director of Cisco Systems' security management products. One group will handle attack mitigation and protection, the other compliance, he says.
"The ability to provide realtime attack protection and mitigation comes with enterprise security requirements," he says. "I speculate that folks who want regulatory compliance reporting to pass audits will deploy a SIM product specific to their needs."