SIM city and the network
Security information management products help you make sense of all your threat data
- By David Essex
- Apr 13, 2006
Michael J. Bechetti
Bill Geimer, program manager in the Chief Information Security Office at the Agency for International Development, has a huge security problem.
'We have a worldwide network in over 70 different locations, in some of the most underdeveloped countries in the world,' Geimer said. More than 100 firewalls and dozens of intrusion detection systems watch for threats. Needing a centralized system to make sense of its data, USAID began investigating security information management products. 'Our need for a SIM was for the obvious reason of collecting, aggregating and correlating all the data from disparate vendors,' Geimer said.
Eventually, USAID chose the nFX Open Security Platform from netForensics Inc. of Edison, N.J. While it may be oversimplification to attribute all its success to SIM, USAID was the only agency to earn an A+ on the Federal Computer Security Report Card for both 2004 and 2005.
Although USAID was among the early adopters, other federal agencies have moved past tire-kicking to full-scale implementation of SIM in the past year. And it's more than post-9/11 policies driving government toward SIM. Such privacy and security regulations as FISMA, the Gramm-Leach-Bliley Act of 1999, and the Health Insurance Portability and Accountability Act prescribe strict guarantees that information is secure and private. That also means keeping electronic security records safe and accessible for examination and for use as evidence.
'Government agencies have deployed a myriad of security technologies, and now they want to get their arms around that information,' said Ashesh Kamdar, group product manager for Symantec Corp., a security software vendor that sells SIM appliance hardware.
Cost savings is another demand driver, as agencies take a hard look at their growing labor budgets for security and network management. 'These tools help them get out of the grunt work,' Kamdar said, referring in part to the laborious manual analysis of security event logs.
That is the situation Glen Sharlun found himself in in 2003 when he was head of the Marine Corps Network Operations and Security Command. 'We had a data overload problem,' he said. 'We had too many people doing computer work. People don't crawl through logs very well.'
After talking to government peers about why they chose their SIMs'or in some cases, replaced them'Sharlun chose the Enterprise Security Manager from ArcSight Inc. of Cupertino, Calif. The system helped free up security analysts to make decisions on threats, then respond using ESM's workflow and time-stamping features as well as Remedy help desk software.
'Most of the information coming across a firewall is noise,' said Tracy Hulver, director of product management for netForensics. 'The first thing SIM does is take all those messages and filter them down.'
Because security information management is still a nascent technology, vendors of many different products claim to do all or part if it. Log management specialists such as LogLogic Inc. and SenSage Inc. play an important security role (in fact, SIM vendors integrate with their products), and some claim SIM-like features. LogLogic, for example, uses algorithms and such artificial-intelligence techniques as machine learning to make sense of unfamiliar log formats.
Another class of software and appliances that might be confused with SIM comes from the intrusion detection world, and provides enterprisewide correlation to the data stream coming from their devices. Andrew Braunberg, senior analyst for information security at Current Analysis, a market research firm, cites software from Check Point Software Technologies Ltd. and Sourcefire Inc. as examples of 'SIM lite.'
What ultimately distinguishes SIM is its ability to paint a more complete, risk-adjusted assessment of an agency's security profile. Its sensitivity to the business values of IT assets can, for example, prevent security teams from wasting hours eradicating worms from a mobile worker's laptop while a denial-of-service attack is exploding on the agency's mail server. SIM tools also help with the regulatory matters by calling special attention to threats to systems that have the greatest role in compliance. Some integrate directly with third-party compliance software.
SIM products come in two configurations: software that runs on a server platform, generally of your choosing, and network appliances that prepackage everything in a neat little box. In general, servers are more flexible and easier to scale up to meet future demand, but they can be hard to configure. Appliances help avoid most setup hassles and may offer better performance but are usually less configurable.
Performance and scalability also hinge on the type of database sitting behind the SIM tool. Relational database management systems built on familiar platforms such as Oracle Database are often more customizable, but they generally rely on software agents to collect device data. This is the approach favored by some of the biggest names in SIM, including ArcSight, Intellitactics Inc. and netForensics.
Filter or no filter?
Other SIM vendors, notably Network Intelligence Corp. and OpenService Inc., use largely agentless, proprietary databases that they claim are faster and provide analysts all available data rather than filtering it.
'We have customers who have several hundred thousand events per second, and some are going up to a million per second,' said Jim Melvin, a Network Intelligence executive vice president. Tracking all the events unfiltered makes it easier for analysts to establish baselines of normal activity against which to compare suspicious activity, and meets FISMA requirements for reporting unaltered security data.
But Steve Sommer, senior vice president at ArcSight, disagreed, describing Network Intelligence's proprietary database as a 'high-performance log collector. It's not real good at doing custom reporting or real-time threat analysis.'
Needs vary from agency to agency. Wherever you land in the agent-versus-agentless decision, spotting a threat is important, but response is what counts.
SIM tools can take up to three approaches. They can have incident response built in, providing trouble tickets and alerts that security analysts can pass along to network operations staff for remedial action. Or they can pass data and alerts directly to help desk programs. In the more low-tech third option, security and network teams use a help desk tool to enter SIM information manually.
SIM tools typically don't initiate responses without human intervention. The secured assets are too valuable, and the software is not yet smart enough to be trusted. 'Automatic response is a scary term for most customers, and rightly so,' said Sharlun, ArcSight's director of strategic application solutions. Some users program their SIM systems to take action that can be safely standardized, such as shutting down a server infected with a known, fast-moving worm.
But perhaps the most important reason SIM plays a more passive role in network security is that its functionality typically spans two groups within an organization. Any platform you choose should have features that bridge the divide.
Network operations centers and security operations centers are usually separate departments and cultures that don't always work well together. SIM is an SOC thing, but remediation often gets thrown in the NOC's lap. 'The network guys just do not like the idea of a tool going out and messing with their infrastructure,' said Paul Stamp, senior analyst at Forrester Research.
Calvin Chai, marketing manager for Cisco System's CS-MARS SIM appliance, agrees the NOC versus SOC conflict exists, especially in large organizations, but says the real issue now is a blurring of the lines of responsibility. The SOC's job used to be to define security policy and monitor threats. 'But we've seen security becoming more and more integrated into the network infrastructure itself,' Chai said.
SIM vendors see this as an opportunity to add integration and collaboration features. 'There's this historic divide between the network operations guys and the security operations guys, and there's always discussion on how to better integrate those two players,' Braunberg said.
Linking approval workflows is one obvious solution. Better data sharing is another. For example, a NOC might misdiagnose a performance degradation issue until the SOC alerts it to a possible denial-of-service attack.
As network attacks have evolved into lightning-quick, so-called 'zero-day' threats, they've nearly passed by the original SIM technology. SIM came along expressly to add analysis of both historical and current security events, essentially slowing down the art of network protection. SIM vendors, among them Cisco and Network Intelligence, are now touting new features that expand their ability to offer real-time monitoring and response by analyzing network traffic streams. As a result, SIM is evolving into SIEM: security information and event management.
Moreover, agencies increasingly recognize that threats also come from inside their walls, from employees who already have access to the network and mean to do it harm. 'We have some very sophisticated U.S. government customers using us for insider threat detection,' said Sommer.
Monitoring firewalls and other edge devices helps little. 'It's harder to detect,' Sommer said of insider threats. 'You have to do different types of analysis.' So, SIM vendors have begun adding features that help spot suspicious behavior by trusted users.
While security information management can help make sense of a complex network, it's not a silver bullet. 'To think of a SIM as an all-powerful expert system'I think we're a long way way from that,' said Stamp.
Industry analysts, and even some of the vendors, say SIM products must be made easier for more people to use, especially for correlation and analysis. 'The technology, if anything, is a bit too complex,' Braunberg said. 'Where we're at now is trying to simplify and move beyond these initial pilots. Ease of use and ease of configuration and management issues are top-of-mind right now.'
The very complexity of SIM and the networks it protects make it hard to run a small-scale pilot or to get a meaningful demo from vendors. Rather, the best way to investigate SIM products is to talk to peers who have used them'including some the vendor did not recommend. 'Find someone who looks like you and is doing what you want to do, and talk to them,' Geimer said.
David Essex is a freelance technology writer based in Antrim, N.H.