Get it together


Whether you have a SOX problem or a HIPAA ailment, it is becoming more tempting to enlist a SIM. But beware what you’re buying into. Vendors are heavily hyping their security incident management (SIM) wares as the cure-all for meeting regulatory compliance standards such as the Sarbanes-Oxley (SOX) and Health Insurance Portability and Accountability Acts (HIPAA). If anything, they’re half right.

Yes, the increasingly large number of SIM solutions (or security information and/or event management, so the abbreviation could be SIEM or SEM) can help beleaguered enterprises comply with these and other regulatory acts.
By aggregating and correlating the virtually unlimited data collected by perimeter security devices, such as firewalls and intrusion detection/protection systems (IDS/IPS), they give IT admins valuable tools for mitigating the financial or technological impact of breaches such as worms, trojans, and DoS attacks.
But they are not a compliance panacea, no matter what vendors claim.
"HIPAA has driven health care organizations to look at security in general," admits Rick Casteel, vice president of MIS for Upper Chesapeake Health, a non-profit foundation that operates two hospitals in Harford County, Maryland.
Casteel uses TriGeo's Security Information Manager SIM appliance to monitor security incidents – and help comply with HIPAA regulation – on his network of about 750 nodes, which includes 40 servers and a Check Point firewall.
"[But] there's nothing in HIPAA that's a rubber stamp for companies – an organization determines what HIPAA compliance equates to," he explains. "It's more an umbrella, and a SIM product can give you information to help meet compliance, but nothing in HIPAA prescribes certain reports every week."
Yet, that's what several SIM vendors claim their products can provide. For instance, Anton Chuvakin, a security strategist for SIM software developer NetForensics, says the company's NSX software "comes with a set of reports tied to certain regulatory issues, such as HIPAA and the Gramm-Leach-Bliley Act – unique reports – that offer solutions for compliance professionals." ArcSight and Network Intelligence, among others, also boast of similar capabilities.
Diana Kelley, a senior analyst with the Burton Group, chides vendors for these sorts of claims. "I'm surprised at the myth of 'SOX in a box,'" she says.
"Enterprise vendors say they have these templates, and all of a sudden you have reporting and compliance," says Kelley. "But there's no such thing as buying a 'SOX in a box' and, like magic, you're compliant."
Such is the frenzy surrounding this niche, however, one of the fastest-growing IT markets. Here's a run-down of some of the trends impacting the SIM (or, as noted, SIEM/SEM) area.

SIM shows strong growth
The Yankee Group, a Boston-based market research firm, tabs the security event management market at about $330 million this year, projecting it will grow to $800 million by 2008.
While that is a small portion of the $12.9 billion enterprises will spend onsecurity products this year, its 30 percent annualized growth is one of the key factors in the security market's robust six percent expansion, according to George Hamilton, a senior analyst at Yankee.
Indeed, the push by enterprises attempting to get into compliance with a wide range of regulations specific to their industry or financial status is the driving force behind the SIM market. These regulations include SOX, HIPAA, the Gramm-Leach-Bliley consumer privacy act, and Visa's Payment Card Industry standard (for more on the PCI standards see our cover feature on page 24).
It is a market that has attracted both big and startup players. The list includes the usual enterprise suspects such as Cisco, Computer Associates, IBM and Symantec. Players targeting just this
niche include ArcSight, Consul, Dorian Software, e-Security, LogLogic, NetIQ, GuardedNet/Micromuse, Intellitactics, High Tower Software, OpenService, NetForensics, Sensage, TriGeo and ScriptLogic.
The enterprise software systems from the IBMs and ArcSights of this world will also cost big. An entry-level system from Intellitactics, for instance, begins at about $75,000, according to Ron Hardy, the company's chief strategy officer.
So it's not surprising that two other SIM options have popped up, both more moderately priced.
On one hand are the appliance-based units from the likes of NetIQ, Cisco, Network Intelligence, TriGeo, Symantec, and others. These cost anywhere from $15,000 or so up to $75,000, depending on configuration, size of network covered, and so on.
There's also a burgeoning market for SIM capabilities delivered via the application service provider (ASP) model.

How SIM really works
No matter how it is delivered, a SIM product is at its core a log-file aggregator. It collects information stored in the log files of systems – firewalls, IDS/IPS, operating systems, and applications – and aggregates it in a central location.
From that point, SIM products offer a wealth of capabilities, all focused around their ability to analyze possible security breaches, correlate information from the various devices, and then send alerts when necessary to authorized personnel for possible remediation. Obviously, each vendor promotes its own specific abilities, some targeted to the enterprise, others to just parts of an infrastructure.
ScriptLogic's Active Administrator and Dorian Software's Event Achiver software, as two examples, are niche products that track changes made to Microsoft Windows' Active Directory user-profile service. Active Administrator is ideal for monitoring the dozens of changes that can impact user profiles within a Windows domain, says Eddie Sparpaglione, director of information systems for Sussex County, Delaware, who has used ScriptLogic for about a year.
He deployed ScriptLogic after a user who had admin rights mistakenly made changes to a group profile, locking everyone in that group out of their systems. Active Administrator eliminates the "hard part" of centralizing log files from his four Active Server domains, he says, and allows him to see consolidated reports on types of changes and who makes them, both critical to security.
Other products on the market offer similar targeted capabilities. For example, Ashesh Kamdar, group product manager for Symantec's security incident/event management solutions, says its Security Information Manager appliance includes the company's Deepsight Management service, which alerts customers when new security treats appear on the internet.
Chuvakin cites NetForensics' NSX's as "multi-platform support, scalability and unique correlation methods." Steve Sommer, senior VP of marketing and business development at ArcSight, cites the company's TruThreat Risk Correlation Engine's support for the widest range of third-party (IDS, firewall etc.) systems.

Neighbors that don't get on
What you will not hear from vendors is much talk about interoperability between their SIM products. It does not exist, and don't hold your breath waiting for it.
Vendors all refer to their ability to interoperate with endpoint security devices such as IDSs and firewalls and even helpdesk or network management systems such as those from Remedy and Hewlett-Packard. Many of them support SNMP (simple network management protocol). But none offer easy ways to port information from their SIM products to another vendor's software.
Blame it on market immaturity and lack of customer demand, say vendor reps.
"Customers aren't clamoring for interoperability," says Reed Harrison, chief technology officer at e-Security.
"They're just not calling for a standard messaging structure for security products today."
Eventually, the SIM market players will segment themselves into two camps, believes Dario Zamarian, director of Cisco Systems' security management products. One group will handle attack mitigation and protection, the other compliance, he says.
"The ability to provide realtime attack protection and mitigation comes with enterprise security requirements,"he says. "I speculate that folks who want regulatory compliance reporting to pass audits will deploy a SIM product specific to their needs."

Buying into a SIM system
Case study

Security audits mandated by federal banking examiners revealed a critical need at Security Bank of Kansas City– a system for managing all the security data produced by the bank's devices.

The problem
Firewalls, intrusion detection systems, routers, and Windows machines were producing reams of data, but administrators had no way of getting a security perspective, says James McKenney, IT security officer at the bank's data center, which provides services to seven member banks of the Valley View Bancshares bank holding company.
The small IT staff did not have the resources to monitor and correlate all the data, and adding more employees and training them to watch firewall and IDSs was not viable.
McKenney and others at the bank began to look for technology that would aggregate and correlate security events instead of requiring technicians to parse through logs manually. Such a system would allow staffers to focus on responding to security events as opposed to detecting them and also allow the bank to more easily meet regulatory requirements.
In searching out a solution, McKenney wound up reviewing eight vendors. While there were strong contenders, many were geared for large enterprises and cost too much. Aside from cost, McKenney was worried about the kind of support his mid-sized organization would get from vendors that serve big companies: "Would we be last on the list? Would we be treated equally?"

The solution
The bank chose OpenService and deployed its Security Management Center (SMC) security information management suite for its data center. The suite included Security Threat Manager (STM), which correlates events and identifies threats, and Security Log Manager (SLM) for security compliance reporting.
"It takes away the legwork of having to parse through a dozen different systems for one event," says McKenney.
Also, SMC has built-in logic to detect and escalate actual security events that the bank needs to deal with, he says. For example, if there is a port scan, network staff do not need to be alerted.
But if there is a port scan and three attempts by an unauthorized user to access a system, followed by a fourth successful attempt, then it is a possible system compromise that warrants attention.
Immediately after installation, SMC detected a problem – not a security one, but some routing trouble that was causing an intermittent denial-of-service. Hosts on the network were sending out requests that were being dropped by the firewall.
Before implementing the software, staffers manually looked at subsets of firewall and other system logs to search out the cause of slow internet access. But, says McKinney, SMC provided them with a complete picture and solved the mystery.
While the suite's STM component helps the bank respond better to security events, it also strengthens its federally required incident-response plan.
Security Bank is also required to archive its data logs, which the SLM component of SMC does.
"STM stores and archives all the logs that happen on our devices... so we can go through from an audit perspective and query historically on a username or a computer on a specific day or hour," says McKenney.
A feature that made OpenService's software attractive to the bank was its roles-based access control, he says. Serving multiple banks, the data center needed to be able to provide segregated views so one bank could not see another's event data. Some smaller vendors offered that access-control capability but couldn't scale to meet the bank's needs, while the products from bigger vendors were just too expensive.
Phil Hollows, VP of product marketing at OpenService, says companies are seeing the need for systems to manage all security data produced.
"It can be a huge deluge ... and you are under compliance pressure to look at those logs," he says.
And internet threats continue to climb. A SIM system helps not only with compliance but also reducing risks, says Hollows. Financials in particular have been a favorite target for online criminals, who are now setting their sights on smaller firms.
"Regional banks are becoming potential targets and they don't have the staff to deal with it," he says.

By Marcia Savage

Management takeout
MSSPs get in on SIM

Shifting market requirements, including compliance and deployment cost, are driving more enterprises to consider a managed security services provider (MSSP) for SIM. These subscription-based services offer all the utility of packaged SIM products without many of the costs and hassles required to install, configure and manage them.
A SIM MSSP integrates its software with the customers' end-point (for example, firewalls and intrusion detection systems) devices.
It then delivers a web-based interface that allows customers to view events (raw and correlated), analyze, respond and generate reports.
One of the primary benefits of an MSSP-delivered SIM solution is that it frees the enterprise from the complicated process of writing SIM management policies. Cost savings of up to a third are touted.

By Jim Carr

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.