Like many companies, Online Resources Corp. has deployed host- and network-based intrusion-detection systems (IDS), firewalls and antivirus tools on its networks. But until it installed a security event management suite, the company had a hard time dealing with the deluge of data pouring in from its various security systems. Not only was the incoming data voluminous and highly unreliable, but the IT staff also had to collect it from each system and then manually correlate it.
The Security Information Management suite from NetForensics Inc. has changed that by automating Online Resources' process of gathering, consolidating, correlating and prioritizing that data, says Hugh McArthur, information security officer at the US-based online bill processor. "It has given us a single place where we can go to get the information we need," he says.
Many companies are turning to centralized security event management tools to help them make sense of crucial security information, analysts say. The ever-increasing number of security appliances around the network perimeter has created a stream of data that needs to be analyzed and correlated, says Michael Engle, vice president of information security at Lehman Brothers Holdings Inc. in New York.
New and proposed regulations that will require companies to constantly monitor their networks for security incidents are also increasing interest in these tools, says Michael Rasmussen, an analyst at Forrester Research Inc. in Cambridge, Mass. "There is a tremendous driver in the security standards and legislation area. The reason why people are buying (such technology) is a direct result of this," he says.
IDSs, firewalls and antivirus software, as well as operating systems and applications software, can detect and report an enormous number of security events daily, say users and analysts.
For instance, the security incident management system at Lehman gathers and analyzes information about more than 1 million events from 15 different systems daily, according to Engle. This includes data from IDSs and authentication systems, a telephony password reset system and an anomaly-detection system, as well as logs from Lehman's main e-commerce, Windows and Unix systems.
By year's end, the firm hopes to have a new system in place that will help it gather and analyze more than 80 million daily events, including consolidated firewall log data.
Sifting through this volume of data without some sort of consolidation and correlation technology is nearly impossible, thereby making the data worthless, says Pete White, a security architect at Houston-based M.D. Anderson Cancer Center, whose own firewalls generate between 15 and 30 alerts every second. Security event management software helps "separate the wheat from the chaff," he says.
Event management software can help cut through the noise, Engle agrees. The software works by collecting information from individual security systems such as IDSs and firewalls. While some products deploy agent software to collect the information flowing out of them, others just use the Simple Network Management Protocol reports and system logs generated by such systems.
The tools then typically "normalize" the data by converting it into a common format and automatically filtering out duplicate data, such as multiple entries for the same virus attack. The normalized data is then dumped into a central database or repository, where correlation software can match data from different systems and look for patterns that might indicate an attack or threat.
Finally, threats are prioritized based on their severity and the importance of the systems that are vulnerable. Data that suggests an attack against a critical e-commerce server, for instance, would be given a higher priority than an attack against a file server.
IT security administrators can view the information using a Web- or Java-based console, or dashboard, or the system can be configured to send alerts to pagers or other devices. Dashboards can give companies a real-time snapshot of what's going on inside the corporate network. "We are able to see events happen more quickly. It allows us to react faster if we see some activity bubble up in our systems," says White.
The benefits of deploying such software can be enormous, Engle says. When Lehman first installed an IDS in 1999, it generated more than 600 alerts daily--most of them false alarms. Today, thanks to the event-correlation features of its management system, administrators receive fewer than 10 per day. The system today is "turning more than 1 million events down to less than 10 alerts," Engle says. Such technology allows companies like Lehman to pinpoint threats far more efficiently, identify trends that might indicate an emerging threat and fine-tune incident response, Forrester's Rasmussen says.
The data that centralized event management systems capture and store is also useful for forensic analysis, says Nitin Ved, chief operating officer at NetForensics. Such systems let companies drill down into the details of an attack, piece together relevant information from different systems and quickly build a composite of events leading up to a security incident.
The technology lets administrators do all this without the dedicated attention to individual systems that would otherwise be required, says Bill Stevenson, security manager at Irvine, Calif.-based New Century Financial Corp., which uses the NetForensics suite.
The events statistics maintained by security event-correlation systems can also be useful for measuring the effectiveness of IT security, says White. But as with any other technology, there are several major caveats associated with the use of such products. The biggest has to do with the quality of the data that is fed into such systems.
The old adage "garbage in, garbage out" holds true with both event and incident management software, says Sweta Duseja, a product manager at security vendor Check Point Software Technologies Ltd. in Seattle. That's why it's important to ensure that the right filters and rules are set for capturing the information that's fed into the system, Engle says.
Indiscriminate data collection can create problems. For instance, every time a user clicked on CNN's Web site, it generated 144 separate log events on Lehman's systems, most of which were useless data. "Initially, we were sending too much data into the system because we thought that would put us in a good place," Engle says.
Also, implementing event-correlation technologies often involves a degree of customization that may not be apparent at first, White cautions. Despite the support for multivendor technologies touted by several vendors, users often need to develop scripts for capturing information from specific security devices -- an effort that can be time-consuming and costly, White adds.
The tools can also impose quite a steep storage requirement on the organization, depending on what it wants to do with the data, says New Century's Stevenson. "It all depends on how many devices you are plugging into the system and how far back you want to go with the data. It can be for as little as a month or two or for as long as six years. You never know," he says. For this reason, many products support up to 2TB of data out of the box.
Despite the growing maturity of such technologies, no single product can gather all the relevant security-related information from across operating systems, applications and the network, Rasmussen says. For instance, while some products may excel at gathering network-level data, other products may do so at an operating system level.
Upfront costs can be steep as well. Event management systems typically start at over $100,000. That puts them out of reach for many businesses that would otherwise be attracted to them, says Bill Spernow, chief information security officer at the Georgia Student Finance Commission in Tucker, Ga.
But for organizations that can afford it, users and analysts say, the technology can yield rich benefits.