Chad Hoggard was drowning in data. Each day the security administrator at Seattle-based Holland America Cruise Lines must drill into hundreds of thousands of log lines delivered from the nearly 100 devices that comprise or protect the company's network. Monitoring the data from these firewalls, IDSes (intrusion detection systems), and some 80 servers is an overwhelming task for the security administrator and his staff.
They cannot keep up with all the output. "Just on the network side, we're talking about 200,000 lines a day," says Hoggard, who reports to the company's CIO and is responsible for security of the systems that support some 1,200 end-users working on a variety of platforms.
Hoggard's situation isn't unique. As IT executives strengthen their companies' defensive postures with multiple devices and point solutions, they encounter the catch-22 of today's predominant layered-security approach: More devices mean more logs and alert data. The more data coming in, the harder it is for chief technologists to extract meaning from it. They may miss critical vulnerabilities or escalate false alarms because the sheer amount of data makes close examination difficult.
To avoid this, enterprise execs are turning to SEM (security-event management) tools to make sense of, categorize, and extrapolate important security data. "We knew we needed centralized management," says Hoggard, who expects to complete deployment this spring of e-Security Inc., one of the entrants in the SEM market. "Trying to sift through all these logs was difficult. Automation will make this a two- or three-person job rather than a multiple-person job."
Centralized management or reporting?
The core value of centralized security management, according to a recent Gartner Inc. report, is the correlation of security data from multiple devices and systems to enable better security assessment and to support corrective action.
"The primary driver of this nascent market is the failure of the intrusion detection systems to separate real threats from the background noise of ineffective probes, false alarms, and normal security changes," the October 2002 report, The Emerging IT Security Management Market, states.
Along with the buzz surrounding the emerging centralized security-management market comes some confusion about how far tools are progressing and which solutions and vendors have long-term viability. Adding to the confusion is the use of the term "centralized security-event management" to denote tools that are centralizing event reporting of siloed and/or decentralized security devices, says Gartner analyst John Pescatore.
"First generation tools make it easier for network security guys to monitor all those boxes," Pescatore explains. "Vendors have just started with the second generation tools -- adding reporting [that is] oriented to CIOs."
For Holland America's Hoggard, e-Security's 24x7 dashboard reaches across the cruise line's entire network security architecture and consolidates and organizes security "events" from multiple operating systems, Web servers, mainframes, databases, and network devices. He further refines the aggregated data by dividing views -- and event correlation rules --- along platforms. His team retains overall access and an overarching picture of all events.
"Now we can have a view for the Unix folks," Hoggard says. "They can create their own rules to define what correlation of events they are concerned about. I and my backup have access to all messages to draw lines between the other departments ... I handle the larger scheme correlation of events -- the potential attacks on multiple platforms."
Upping security investment return
As does Hoggard, Val King faces the security catch-22. The manager of information security for Canadian Pacific Railway in Calgary, Alberta, finds around-the-clock monitoring of user logs by six security staff members daunting -- not to mention a poor use of their time.
"We need technical people with solid security backgrounds. They're hard to get," so centralized reporting frees them up to work on security strategy, King says.
With the deployment of IBM Corp. Tivoli's Risk Manager still in progress, King is able to reroute team hours from post-event log review to security incidence prevention. "This dramatically changes how my people work. We can provide more subject matter expertise to project development people. Now we spend a half hour once or twice a day ... and also have our operational folks keep an eye on Risk Manager rather than having to babysit the devices."
Therein lies one selling point to other Canadian Pacific executives -- freeing up security experts to focus on strategic functions. "We're just not going to get any more resources. We need to leverage technology to minimize the work in one area and move to [a higher level of work]," King says.
The good news is that many of the technical problems vendors faced in developing centralized security reporting platforms, such as achieving scalability and normalizing data from different devices to a dashboard, have been largely resolved. However, other tasks such as defining correlation rules and managing local device specs still present some hurdles.
As with both Hoggard and King, Jeff Taylor, a computer security engineer at Sandia National Laboratories in Albuquerque, N.M., is in the midst of a multimonth SEM tool deployment. Taylor brought in ArcSight with overall success, but now finds the implementation slowed due to shifting internal priorities and changes made by an IDS vendor to the IDS database.
Because of the IDS changes, the ArcSight agent pulling the IDS data needs to be modified. The Agent parses the information and delivers it to a collection system; the collection system correlates info to a centralized system connecting to an Oracle database. "We are working with the ArcSight development team to have changes made to the IDS agent so it can read the local database and pass the IDS information to the collection system," Taylor says. "Because of other priorities, we have not had time to ... test and implement the modified IDS agent."
Taylor is not discouraged because agents for other devices are working well. Putting other devices on the ArcSight Inc. platform at the U.S. Department of Energy's research facility has been relatively uneventful. "The firewall, syslog, event log, and vulnerability-scanning agents have been tested and are working," he says.
HollandAmerica's Hoggard, too, has faced only minor problems with agents in the deployment of e-Security's SEM tool. "The agent on NT/2000 requires a reboot, which has taken some time to schedule for many servers. This could be avoided by employing different methods of transferring the event data, but a local agent is much more secure. This challenge wasn't too hard to overcome .... The Unix side doesn't require a reboot, so that is much easier," he says.
Next-gen unified security management
Current offerings are beginning to move beyond centralized reporting to enhanced offerings such as e-Security's exclusive tie-in with Symantec Corp.'s SecurityFocus virus-definition database. Vendors are also starting to build better management into security solutions. Indeed, Gartner's Pescatore sees centralized control of security devices as the apex of tomorrow's SEM tools.
"We have seen the demand and some products from ArcSight, NetForensics Inc. -- supplying products to centralize reporting," Pescatore explains. "Tivoli's Risk Manager and Computer Associates' [forthcoming] eTrustSecurity Command Center have centralized reporting and monitoring. But none have centralized control." The CA offering is in second-round beta testing and is expected to be released this summer, according to CA officials.
Pescatore is looking toward a third-generation tool -- one that would coordinate critical and cyclical business activities to security incidences. "Translating business needs into security needs is difficult," he says. "Trying to create the same terminology across business and security has proven very tough. Risk management on the business side means something different from the security side."