SEM Systems Defend Against Information and Regulatory Overload

Network and security administrators daily must sift through terabytes of information written as access logs, intrusion detection system (IDS) alerts, and vulnerability and threat information. Most log information is archived without being read. Organizations also need to comply with regulations protecting the confidentiality and integrity of customer and financial information. Defining audit policies and managing log data have become pressing needs in regulated industries.

In this report, we discuss the market for security event management (SEM) systems, which are repositories for log information that manipulate and display the data in a meaningful way. Vendors created SEM systems to assist security administrators with developing policies, managing logs, responding faster to virus and hacker threats, and using the information available to continue improving defenses. SEM vendors are rising to these challenges with extensive device support, better correlation of events and robust data storage architectures.

The growing number of risks and increasing complexity of our security defenses guarantee SEM a place in the overall security solution and create an opportunity for overlapping network and systems management vendors to add value by integrating with a new breed of security solutions. This report defines a road map for the evolution of SEM. It profiles the leaders and challengers in this $90 million market and forecasts revenue growth for the next five years.

Deciding what to log and interpreting log information is a complex task involving difficult choices for enterprises. There is a lack of advice on what to log and what these logs mean. Security systems should contain warnings of this unpleasant side effect: “Warning, some users may experience large volumes of incomprehensible data as a result of using this product.”

New regulations that require security administrators to audit policies as part of access control have brought these issues to the attention of C-level executives. SEM vendors are in a great position to share information on this topic, assist organizations in setting reasonable audit policies, and provide the visibility into event logs that has been lacking in the past.

SEM vendors are succeeding in the current market by meeting customers’ needs for intelligent correlation of security events, management reporting and log storage. However, SEM is evolving by converging with network and systems management. Organizations are looking to increase efficiency by implementing security systems with greater autonomy to respond to virus infections, attacks or other losses of network integrity. The risks associated with automation are a big concern. IDS automated attack response will reset or block a connection without any human intervention. False positives represent a high risk because they are difficult to avoid and can cause wide-scale business disruption. This keeps many enterprises from using these features.

By comparison, configuration, system or patch management technology designed to automatically modify systems carries a different set of risks. Auto-remediation of vulnerabilities can adversely affect one or more devices. This risk can be reduced to an acceptable level by requiring human intervention-giving administrators the opportunity to conduct thorough testing. Unlike attack response, the necessity of human intervention does not diminish the benefits of autonomous configuration changes.

SEM and other security solutions will remain passive in the attack response area until false positives have been virtually eliminated. However, the necessity to improve network integrity is causing enterprises to look more closely at increasing automation. SEM vendors that remain event log repositories and do not extend the capabilities of their product in this direction will face a shrinking market.

Integrating a systems management solution with risk management, and maintaining systems according to their value to the organization, has the potential to revolutionize the way enterprises manage security risks. Yankee Group research indicates that SEM will play a key role in driving the industry in this direction.

Predictions

Behavioral detection methods, also employed to detect telecommunications and credit card fraud, will be used to improve SEM correlation by the first quarter of 2004.

SEM solutions are converging with network and systems management. This trend will accelerate in 2004, resulting in 50 percent market consolidation by 2005.

Integration of patch management technology with SEM will occur by 2005.

Recommendations for Enterprises

Make sure you have incident response procedures, patch management procedures and a security policy. Risk reduction cannot be achieved through SEM unless you are collecting the right data and have defined procedures to use that data. SEM must be used in conjunction with other technical and procedural controls to be effective, and it can be used to address vulnerabilities or weaknesses in preexisting controls.

Perform a risk analysis before making any security purchase. Make sure you are addressing your biggest risk by buying SEM and have enough invested in the processes and procedures that make SEM useful (i.e., patch management and incident response).

Focus on improving network integrity through event correlation or archiving event information, not both. SEM systems that are optimized for real-time event correlation cannot easily be optimized for historical reporting. Decide which requirement is more important and select a vendor that can meet this immediate need. Ask for a product road map or find out what enhancements the vendor plans to make.

Define your requirements for forensic integrity. Not all SEM solutions ensure forensic integrity. These features have not advanced as quickly real-time correlation capabilities. If you have strong requirements for confidentiality and accountability, make sure the solution you choose includes cryptographic checksums of events, encrypts events before sending them over a network and protects event data in storage.

In regulated industries, seek vendors with proven experience addressing regulatory needs. Customers’ needs drive product enhancements. The Yankee Group recommends alignment with the existing customer base as a criterion when evaluating solutions. A vendor with existing customers in regulated industries can provide references, case studies and invaluable expertise to an enterprise.