Keeping up with security compliance can be daunting. But there are ways to make it easier.
Challenges abound for IT security managers in today’s enterprise. In addition to increasingly complicated threats and a widespread and distributed workforce, they are now tasked with complying with an alphabet soup of regulations.
According to the Federal Information Security Management Act (FISMA), federal agencies must develop, document, and implement agency-wide programs to secure data and information systems. And, the Health Insurance Portability Accountability Act (HIPAA) requires that healthcare and insurance providers protect patient information. These regulations also affect international organizations. The European Union (EU) Data Protection Directive requires each member nation of the EU to pass legislation requiring confidentiality and integrity controls for networks, systems, and data containing personal information.
Thanks in part to these recent government and industry guidelines, the importance of ensuring the confidentiality, integrity and availability of corporate assets and data is no longer simply a technology concern but a critical business issue. To complicate matters even further, mobile workers, partners, suppliers, and remote staff require reliable anytime, anywhere access to corporate data-from both wired and wireless connections.
There’s no question that IT is placing more and more emphasis on security technology to combat these issues, and spending more money to secure their networks. Companies worldwide spent about $12.9 billion on IT security in 2004. At the same time, the value of the data they need to protect continues to increase, so having effective security measures in place is absolutely necessary. But the bottom line is many don’t know how secure their network really is. They can’t keep up with the deluge of data that’s streaming in from their various security solutions, let alone boil it down to specific action items.
Security event management (SEM) technology is one solution to these challenges. Similar to the dashboard on your car, it gives IT a ‘big picture’ view of what’s going on in the enterprise with regards to security, encompassing policy assessment, policy compliance and vulnerability assessment. SEM technology will correlate the attacks it sees across the network, along with the asset value, and help you prioritize which incidents to focus on. Obviously an attack on an e-commerce server takes priority over an attack on an individual PC. So security event management becomes-in effect-the pane of glass through which the information security group views their security posture.
The Three S’s: Simplicity, Scalability and Security Intelligence
A SEM system is not just a matter of collecting logs. It requires three key ingredients to be effective-simplicity, scalability and adequate security intelligence-or it becomes just another solution to maintain.
A valuable security management solution should be as easy as possible to deploy. Also, a system with a simple, intuitive user interface will help customers obtain reports with the most relevant and actionable information.
Scalability is also a key consideration for large enterprises. SEM solutions need to manage antivirus, as well as “noisy” products like firewalls and intrusion detection devices that monitor hundreds of events per second.
An event can be everything from a virus or a worm identified by an AV system, to an FTP connection detected by a firewall. Often, what is flagged as an “event” is determined by pre-set rules. For example, a firewall rule might be set to deny all FTP connections. If the system sees that someone is trying to communicate with it via the FTP protocol, that transaction will be denied and logged. This type of event will not likely be mission-critical, unless your system notifies you of something similar happening 100 times within one minute. Security event management will help you focus on what’s most important.
The average firewall outputs 150 events per second. That in itself seems overwhelming, but multiply that by the number of firewalls deployed in large enterprises and the situation can become unmanageable for IT alone. Intrusion detection products typically output 25 to 50 events per second and antivirus output about 100 events per second for 1,000 antivirus servers. A scalable security event management system will help IT easily manage and act on this constant stream of information.
Finally, security intelligence is crucial to any security event management system. Intelligence should help you make immediate decisions on security events within your organization by comparing what’s going on in your organization with what’s going on in the world at large.
There are three ways security event management can help handle this intelligence: Filtering-filters out events and identifies events that are not important for IT. Aggregation-identifies similar events happening in the enterprise and combines into one event. SEM technology helps IT managers connect the dots between different sets of security data.
Correlation-correlates one event with another event, and forwards as a combined event. For example, a worm detected by antivirus software, along with a signature detected on an intrusion detection system, will likely result in a correlated event notification.
Interpreting and Managing Data
It can be difficult to get real-time information concerning what is happening across your network. If you have deployed various security devices on your network, you know it takes time to sort through data with millions of events–and finding the most important issues in time to take action is a challenge. What’s more, you need to have qualified employees who possess the expertise to interpret the data, regardless of whether it’s trend analysis or simply deciphering the important from the non-important series of events.
It is a classic scenario: you have installed separate security components, and each comes equipped with their own management consoles. But time is of the essence — security incidents won’t wait for your team to discover them. Without a single view of events along the network perimeter, things like attempts to crack into your corporate server, or a blended threat crossing into your network could happen right under your nose. SEM technology provides a way to consolidate antivirus, intrusion detection, firewalls and vulnerability management products. Therefore, the more effectively security event management products can integrate with the most popular third-party products and technologies, the more effective the solution.
Also, some security event management systems work with network and systems management systems, which provide IT with a more holistic view into what’s going on in the enterprise, allowing them to handle identity management, access management, configuration management and user provisioning. It’s also important for IT to tie incident management, alerts and notifications to help desk systems in order to resolve issues in a timely manner.
Managing enterprise security today is a difficult process, delivered through a combination of disparate commercial products from different vendors lacking integration and interoperability. The result is a high degree of complexity and increased operational costs. Administrators may be spending a lot of time focusing on redundant tasks that are required to manage the complex security infrastructure of your network. In this economic climate, there is increased pressure to do more with less from both a financial and resources viewpoint. SEM technology can help you free up your staff to focus on higher value activities, meaning improved and more proactive security for your enterprise.
Rowan Trollope is vice president of Security Management Products at Symantec.