Guide to Security Information Management

Best practices for a successful SIM deployment

Identifying targets security systems and setting policy are imperative measures

By Denise Dubie

Security information management (SIM) technologies are pretty much imperative for corporate security these days. But IT executives won't be able to reap the full rewards without following some best practices when putting the technology in place.

"[SIM] tools are fast becoming must-haves for security teams wanting more visibility into IT activity within their environment," says Paul Stamp, a principal analyst with Forrester Research. According to Forrester, the market for SIM products is growing at about 50% annually and the technology will continue to become part of larger security-infrastructure and management plans. "[SIM] tools used to be purely the domain of the security analyst working on operational issues. These days, the information that a [SIM] tool provides often ends up on the CISOs, or even the CIO's, desk," Stamp says.

Industry watchers and IT managers alike say that SIM won't protect environments from all threats, but the technology can go a long way toward identifying the risk present in any environment.

Stamp says, "As threats become more targeted and sophisticated, there is often no single tool that can detect the telltale signs of an attack. Many modern attacks manifest themselves in policy violations like privilege escalations or changes to critical files rather than specific vulnerabilities being exploited or well-known malware being downloaded." To be certain SIM is able to adequately streamline the "processes of gathering, analyzing and reporting log, vulnerability and configuration data," it is essential to identify the critical systems in your environment before choosing a SIM technology.

Michael Gabriel, CISO at Career Education Corp. in Hoffman Estates, Ill., uses netForensics' SIM product to collect data from security and network devices, as well as databases and Microsoft domain controllers. He says building a complete picture of the security environment upfront will better guarantee success.

"Identify the critical devices you want to collect log events from and be sure you include the perimeter, operating system and application/database layers for a complete picture of your security posture," Gabriel says.

Another upfront facet of SIM best practices involves getting appropriate policies in place for the SIM tool to enforce. The technology works only as well as your existing security policies, according to Joel Snyder, a senior partner at Opus One, so before buying products, be sure to get policies in place.

"You cannot simply throw the box in and assume that it will tell you want you need to know about your security or network posture," Snyder says. "You have to be willing to actually look deep into what you really care about and either write or activate rules that will make the [SIM] product work."

Gabriel agrees, saying SIM users must be ready to fine-tune the product before rolling it out and on an ongoing basis, to keep it working effectively at reducing the noise of nonevents and identifying those events critical to secure the environment, he says.

When deploying SIM, be ready to negotiate interdepartmental politics. The products are difficult to deploy, because they require IT managers to distribute software agents or modify device configurations in departments that perhaps are not under their dominion. Because the technologies straddle IT operations and security teams, deployments can hit roadblocks when access rights and privileges come into play.

"[SIM], like identity and access management, is by its very nature a heterogeneous product, and thus SIM rollouts involve complex technical integration and political negotiations," Forrester's Stamp reports. "The architecture of the [SIM] tool doesn't seem to make a whole lot of difference either. Even if a solution doesn't require an installed agent to get information from a system, it still usually requires a configuration change or privileged account to get the data it needs -- and system owners aren't likely to let that happen without good reason."

After SIM is deployed, don't underestimate its usefulness beyond the security realm. As the IT disciplines around operations management and security monitoring continue to converge, IT managers can get more out of their SIM investment by putting it to use in gaining efficiencies elsewhere. For instance, SIM technology is also able to monitor which staffers and users follow COBIT policies Gabriel has in place for compliance and audit reasons.

"Don't neglect to look for opportunities to leverage the system's ability to report on operational events that are not necessarily security-related," Gabriel says. "Your operations team will appreciate the information and be more willing to partner on security initiatives when they see a benefit."

What to ask when buying security information management

Scalability, interoperability and log management are key considerations

By Denise Dubie

IT executives shopping for SIM should focus their attention on a few key capabilities when evaluating vendor products. While conditions may vary depending on the environment in which the technology will be deployed, all IT executives looking at security-management products need to ask the following:

1. How does the product scale? IT managers must determine the number of devices from which devices they want to collect information and ask the vendor how their technology can accommodate the volumes of log data. Many SIM products tell how many events per second they can capture, analyze and store appropriately. Some require installing multiple collection services, for instance, if each server can manage as many as 10,000 events per second or 100 managed devices. Other may require additional storage capacity be provided by the customer or offer options with partners to compensate for archiving the raw log data.

"You need to make sure the system can go with your network," says Michael Gabriel, CISO at Career Education Corp. in Hoffman Estates, Ill. Gabriel uses a combination of netForensics and Rippletech (a netForensics partner) software to manage security events generated from firewalls, prevention systems, domain controllers and Cisco devices.

2. Does the product include log-management features? Compliance regulations can be both specific and vague about how and how long organizations and enterprise companies need to maintain their log data. It makes sense that SIM products collecting logs from managed devices should also provide the capabilities to manage and archive log data appropriately.

"Some regulations, like Payment Card Information Data Security Standard, for example, specifically mandate log management," according to Paul Stamp, principal analyst at Forrester Research. "Others, like Sarbanes-Oxley, are more opaque, requiring organizations to demonstrate the integrity of business processes, which means they need to show they are monitoring applications and the underlying infrastructure for improper behavior."

3. Can it accept data from other security-management products, databases or third-party systems? SIM products will be critical components of larger enterprise risk-management strategies, and IT managers today need to know the data collected by unified threat management, antispyware and vulnerability-management products, to name a few, can be incorporated into the SIM intelligent event-correlation and -analysis engines. Customers should compel vendors to specify what kind of data and how much data across the enterprise the security tools can collect and correlate. IT managers should ask what third-party products the vendor supports and whether they have software developer kits available for customers to build their own integrations, if need be.

For example, "the ability to integrate vulnerability data from a vulnerability-scanning engine to help it set the severity of events based on the device's vulnerability to the threat" is a must-have feature, Gabriel says.

4. Can the product generate alerts in real-time based on complex events? It's a given that SIM products work to collect and correlate multiple events, but IT executives should ask whether the technology can take disparate events happening across an environment and determine whether all relate to a common threat. For instance, Symantec defines blended threats as security instances that "combine the characteristics of viruses, works, Trojan Horses and malicious code with server and Internet vulnerability to initiate, transmit and spread an attack." IT executives should know if the SEM/SIM tool they plan to purchase can identify such threats.

According to Gabriel, SIM should include "the ability to create real-time alerts based on complex, nested conditions."

5. Does the product offer "active response" capabilities? A more advanced SIM capability is active response -- meaning the technology takes action based on the data it collects. For instance, if an individual working remotely is repeatedly attempting to access a Web server without success -- using the wrong password -- the security-management product can block traffic to that server. Yet active-response features, according to Joel Snyder, a senior partner at Opus One, should follow policies and not shoot from the hip.

Because the automated actions taken to prevent a security threat from spreading can shut down servers and cause poor network performance, it's not a cut-and-dried capability. When considering an external attack, the technology needs to know where to block traffic. In the case where there is an internal attack, SIM products must know where to block traffic and for how long. "Even if you like it active response is harder than it sounds," Snyder says.

Security-information market continues to flourish

Start-ups and trusted management vendors vie for business

By Denise Dubie

Security information management (SIM) products began to emerge earlier this decade because security professionals needed an alternative to manually sorting through the ever-increasing volume of security alerts generated across various network and security devices.

SIM technology is designed to automate the collection of event-log data from security devices and help users make sense of it through a common management console. SIM uses data- aggregation and event-correlation features similar to those of network-management software and applies them to event logs generated from security devices, such as firewalls, proxy servers, intrusion-detection systems and antivirus software. What's more, SIM products can normalize data -- that is, they can translate Cisco and Check Point Software alerts into a common format to correlate the information.

There is a marketing battle in the industry over what to call these products. The security event-management (SEM) and security information-management (SIM) markets emerged almost simultaneously, as vendors adopted different acronyms to describe similar capabilities.

"If you look at the [SIM and SEM] products, they are essentially identical -- it just depends on the acronym the vendor picked," says Joel Snyder, a senior partner with Opus One.

Yet others would say that SEM emerged first as a simpler feature set that expanded to become a standard component in more advanced SIM products. For instance, SEM applies to collecting log and syslog data from devices and systems, which is essential to any SIM product. But SIM proponents would argue that their technologies take the data collection to the next level.

For instance, SEM emerged to quiet the noise, so to speak, of all the events coming in from multiple devices and pinpoint which events were threats in real time. More recently, to address the timely need of compliance for IT executives, SIM added historical reporting, trend analysis and long-term data storage.

Today, these wares come from start-ups and existing management and security vendors alike. The flurry of start-ups that has emerged includes such companies as netForensics, GuardedNet, e-Security and Intellitactics. These companies ship products designed to marry the data collection, normalization and correlation capabilities of management software with the intelligence of security tools.

Bigger vendors picked up on the potential of this technology area and started shopping. For instance, Novell acquired e-Security, Micromuse acquired GuardedNet and IBM later acquired Micromuse.

According to a recently published Forrester Research report, the market for SIM technology is growing at a rate of about 50% and will continue to grow like that until 2009 -- reaching close to $1.2 billion by 2011. Because of pressures related to meeting regulatory standards, more companies need to perform log management and demonstrate the integrity of their business processes -- "which means they are monitoring applications and the underlying infrastructure for improper behavior," the Forrester report states.

Another factor that will drive the growth in this sector, Forrester says, is small-to-midsize businesses taking a look at SIM. As the products become easier to use and more affordable, SMBs will start to invest in the technology. Right now, Forrester estimates, companies with fewer than 1,000 employees account for about 1% of the market, but by 2011 they could make up about 30%. And SIM technology could become a bridge between IT and business operations, the research firm speculates, saying it will foster more collaboration as it flourishes in companies of all sizes.

"SIM will be the primary tool for enabling operations teams and security teams to collaborate on: turning business policy into specific configurations and requirements; assessing the risk of ongoing security issues; and coordinating the response to security incidents," the report reads.

The simple facts behind security information management

Security event correlation comes from net management lineage

By Denise Dubie

Security information management (SIM) products – also known as SEM, ESM and SEIM – find their roots in network-management technologies.

SIM software, sometimes packaged by vendors on optimized appliances, uses product architectures similar to those found in traditional network-management tools but incorporates security intelligence, threat knowledge and compliance expertise to help IT executives better manage their security infrastructure and potential enterprise risk. The security-management market evolved earlier in the decade to reduce the manual effort involved in collecting log data from security and network devices.

"Security people thrive on information. But more-complex security infrastructure means that security teams have reams of data to plow through to get to the nuggets of information that they need, whether that be information to identify a threat, investigate an incident, respond to an audit request or to just demonstrate to management that they are doing a good job," says Paul Stamp, a principal analyst with Forrester Research.

Today's tools automatically collect syslog events and application security-related data from PCs, servers and other networked devices to help IT executives stay in front of threats. The products include event aggregation and correlation features to help automate the process of collecting and analyzing the data contained in device logs and syslogs from servers. Many vendors also supply reporting software specific to regulatory-compliance standards.

A primary similarity between SIM and network- and system-management tools is product design. For instance, security-management products typically consist of server software, agent software installed either on servers close to the devices they are monitoring or the devices themselves, and a centralized Web-based management console, from which IT manager configure and administer the product and view reports. In view of the raw log data required to comply with regulations, many SIM products include additional storage capacity and data repositories.

To help IT managers understand threats across their environment, the technologies collect log data, apply data aggregation and event-correlation features to event and security logs generated from firewalls, proxy servers, intrusion-detection and -prevention systems and antivirus software. SIM vendors work to support specific vendor products, such as Cisco routers, Check Point firewalls or Microsoft domain controllers to make collecting logs from them systems easier.

IT managers can work with their vendor to request support for specific network or security logs, but even with such support IT managers when deploying the technology must configure devices and systems to expose the log data to the SIM product. Then the software normalizes, or translates, the log data formats from Cisco, Microsoft, Check Point and other data sources into one common language so that they can be properly correlated.

Many SIM suites include multiple applications to address different event-management and security-threat issues. For instance, a suite could include an event manager designed to collect the network and security events and display data related to them in a management console. A suite might also have an intrusion-detection piece that scans the collected logs for known threats or anomalous behavior that could pose a risk to the environment. An increasing number of SIM products feature log management -- if not a stand-alone log-management application -- to handle the proper storage and archiving of all logs captured across multiple devices and systems.

"SIM [products] have to be life-cycle products. A lot of SIM vendors call log management complementary; that's simply a sign that they haven't finished their products," says Joel Snyder, a senior partner with Opus One. "You have to have SIM that can take you from 'get a syslog' all the way to 'generate compliance reports' and everything in between."

Subscribe to the Security Watch Newsletter

Comments