Home » Data Protection » Network Security

Toolbox: Security Event Management

Currently, managing network security is a bit like standing three inches from a pointillist painting.

July 01, 2004 — CSO — Currently, managing network security is a bit like standing three inches from a pointillist painting. You can see the dots fine, but as for making out the big picture - good luck.

Firewalls, intrusion detection systems (IDS), vulnerability scanners and various other security devices churn out lengthy activity logs, but the sheer volume of data makes it tough for security and network managers to ferret out patterns that might indicate malicious activity. Which leads us to the hot technology term du jour: event correlation. Event correlation means compiling all that log data and automatically comparing, for example, all the traffic to or from a particular IP address.

However (as is often the case in security), if you get six different event correlation providers in the same room, you may find that they do six very different things. To clarify this chaotic situation, Pete Lindstrom, research director at Spire Security, breaks the contenders into a few general categories. For starters, Check Point, Cisco and other firewall or IDS vendors offer event correlation on their own platforms. But for managers with large, heterogenous networks under their care, Lindstrom mentions what he calls "security event managers" (SEM) from a set of five vendors. The latest versions of these products illustrate the types of features and functions that the vendors are using in their efforts to make event correlation an effective and applicable part of the network management process.

SEM Software

ArcSight's TruThreat Risk Correlation

www.arcsight.com

e-Security's e-Security

www.esecurityinc.com

GuardedNet's NeuSecure

www.guardednet.com

Intellitactics' NSM Advanced Analytics

www.intellitactics.com

NetForensics' Security Information Management

www.netforensics.com

While these vendors are working overtime to differentiate their products, they generally share a number of features. Several use both rule-based correlation (which allows users to define and detect known attack patterns on the network) and statistical or computational correlation (which is useful for detecting anomalous network traffic patterns that could signify an unknown form of attack). Most convert reams of data into graphical formats, making it more readily understandable. Some of the products allow users to classify and prioritize business assets based on their value so that, for example, traffic aimed at a particular server with highly sensitive customer data could be scrutinized more closely. And with regulatory compliance and auditing being all the rage, several security event managers offer compression, storage and management of the raw event data that comes in from each source (IDS, firewall and so on).

Lindstrom says these are ambitious products that require some integration and operational tuning for optimal performance. "Any time I hear the terms API or toolkit from one of these vendors, I know that equals more work" for the users, he notes. Another set of vendors are approaching event correlation in what Lindstrom describes as "a more lightweight manner." These products aim for plug-and-play simplicity and are available in appliance format.