Security managers today face an increasingly challenging task. Hackers and worms are growing more sophisticated and their propagation velocity is increasing. Internal threats – ranging from corporate espionage to maladroit employees introducing the latest virus – pose at least as much of a danger as attacks from beyond the firewall, if not more so. In addition, in an increasingly security-sensitive regulatory environment, the charter of the chief security officer is expanding to include protecting mission critical assets while providing real time operational awareness and compliance support for the organization at large.
In order to meet these challenges, companies have come to rely on a variety of security products, including firewalls and intrusion-detection systems, to monitor the many types of security issues that are experienced each day. In turn, these products generate an enormous amount of data (logs, alarms, events, etc.), which can overwhelm the analysts that are charged with managing security threats.
Management challenges are further compounded by the fact that, in a quest for best-of-breed products, these devices tend to be purchased from a variety of vendors, each with its own message, log and console format. As a security infrastructure is built out, it becomes increasingly difficult to understand the output of individual or groups of devices and assemble a complete picture of an organization's threat profile.
The task of understanding and dealing with security data is now even more complex, as business managers are demanding access to security information as part of their overall service level agreements for critical business processes as well as in support of corporate compliance efforts. However, because they lack the technical ability to decipher a stream of alerts expressed as IP addresses, ports and intrusions, an efficient translation into business terminology must take place.
How, then, can security professionals manage all the tasks associated with collecting, understanding, acting on and communicating security information? The answer lies in centralized security information management, which leverages the considerable investments made in security point products, detects and counteracts security threats as they happen, and provides a unified view of enterprise security status that is as meaningful to business managers as it is to security professionals.
Security information management solutions begin with a system of software-based agents to collect security-relevant information from newly deployed devices as well as legacy systems. Ideally, these agents will report to a centralized manager that will store security event data in an efficient manner for both real time processing and regulatory compliance support. However, simply recording data to disk can quickly overwhelm an organization's networked storage resources. By utilizing advanced compression, archiving and retrieval in conjunction with enterprise-class database technology, such as Oracle or DB2, an organization can have its most recent security data available for real time processing while maintaining older data in a "near-line" state for easy access. This frees up disk space while efficiently preserving security data for audit, investigation and compliance needs.
In order to eliminate the many false positives that are produced by in-line devices, such as intrusion detection systems, security information management software has the capability to perform real-time correlation that utilizes the real time event streams, asset vulnerability information reported by periodic network scans and asset value information. This three-dimensional real time threat calculation provides the most precise view of the potential danger that the organization faces and focuses security resources on the most pressing exploits. Given the accuracy of the threat detection, advanced security information management software also provides the capability to stop attacks as they are occurring by integrating with policy and configuration management software to shut down threatening traffic. For instance, a session can be automatically terminated based on the IP address of a threatening event. With this proactive attack mitigation, organizations can choose a range of responses to the rapidly propagating attacks that are now a standard part of the threat environment.
Perhaps most importantly, security information management software must bridge the gap between the security organization and the enterprise mission, as each group's needs are radically different. While the security group needs to monitor IP addresses, ports, services, and operating systems that are under attack, the business group needs to understand exactly what resources and processes are threatened and how that translates into financial and regulatory exposure. Forward-thinking organizations will make sure that reporting schemes can present an IP address (e.g. 10.10.5.2) in terms of a business process (e.g. general ledger) and that a vulnerability (e.g. CVE-2004-020) can be expressed as the threat that certain assets risk being non-compliant with key laws and regulations, such as Sarbanes-Oxley or HIPAA.
Centralized security information management software is the technology complement to sound enterprise security policies. By taking advantage of comprehensive security data collection and archiving, advanced analytics and reporting, and the ability to translate technical security status into mission critical information, security management software can significantly improve the efficiency and effectiveness of the security organization while providing a strong foundation for the myriad of compliance requirements now facing large organizations.
About the author:
Hugh Njemanze is the founder, CTO and EVP, Research and Development, of ArcSight, Inc.