Security Event Management Gets Specialized 3

Every security product now being sold promises to help enterprises grapple with compliance issues. Most of the time this is pure vendor hype, but in the case of SEM systems there's some correlation between sales pitch and reality.

One reason is that SEM systems are basically log storage and retention devices. They demonstrate to auditors that you can monitor and report on network activity in a repeatable manner. They also demonstrate that logs are being reviewed--or at least that critical events are being brought to someone's attention.

SEM products with deep reporting capability can also be used to generate reports to meet compliance demands. "We're able to go back and show whatever an examiner or auditor wants," says Hart. "If they want to see how many changes happened from January 1st to April 30th, I can do two clicks and show that report. If they want to see a specific user, I can do that."

SEM systems that monitor changes to critical assets can also assist on the compliance front. "If you poll five CIOs about their Sarbanes-Oxley pain, you'll find it's poor change management and revision control," says Ron Gula, founder and CTO of Tenable. "They don't have vision into the configuration of their systems." By ingesting information from security and network devices throughout the network, SEM systems can provide that vision.


source : http://www.networkcomputing.com/showArticle.jhtml?articleID=172302124

Security Event Management Gets Specialized 2

WHERE DO I PUT THIS THING?

A SEM system is a serious architectural commitment, and one that will likely leach itself into various areas of your network. That's because a SEM system is only as valuable as the data it gathers and you feed into it. Thus a full-blown SEM deployment will have components liberally sprinkled throughout your network.

Although the details vary for specific SEM products, the general deployment principles are the same. At the heart of SEM is the analysis center, a database-driven system that generates alerts based on both canned and user-defined rules and lets operators run queries against its storehouse of information.

You can choose between appliances and software for your analysis center, with the requisite trade-offs of each. Appliances are generally easier to deploy, but you will be limited to the processing power and database capacity of the manufacturer. A software solution lets you size your analysis center accordingly, but you're also stuck licensing an OS (and possibly a database application), stripping out unnecessary functions, and keeping all components patched and updated.

The analysis center gathers information from several sources. In some cases, it will receive raw log data directly from other devices, such as firewalls. In other cases, you can deploy intermediary collection devices (again, either appliances or software-based solutions) to gather event data and pass it on to the analysis center. These collectors may passively accept data, or be configured to poll devices such as servers at regular intervals to download logs and events. As an added benefit, they can often do basic correlation and aggregation, weeding out duplicate or insignificant events and delivering normalized information to the analysis center for faster processing.

Collection devices have a limited number of events per second they can handle (vendor claims range from 2,000 per second to 10,000), so architects with very large networks or numerous branch offices will likely need to deploy multiple devices to manage the data load. As mentioned earlier, software-based collection devices will require additional management.

Some SEM systems may require deploying agents directly on machines. SEM vendors know that architects grimace at the word "agents" and tend to downplay their reliance on them, but agents are often a necessary component of a robust SEM system.

For SEM products that collect flow data such as NetFlow, JFlow, and sFlow or perform passive vulnerability assessment (discussed later), collection devices must be placed at switching junctions that afford the broadest possible scope of network traffic.

source : http://www.networkcomputing.com/showArticle.jhtml?articleID=172302124

Security Event Management Gets Specialized 1

By Andrew Conry-Murray

SEM technology is moving beyond log correlation to help architects mitigate attacks, address compliance reporting needs, and monitor critical assets.

No human being, nor even a dedicated staff of IT professionals, could ever hope to make sense of the millions of discrete events being logged every day by security and network devices. Enter Security Event Management (SEM) systems. These products collect, correlate, and analyze the vast sums of data created by today's security infrastructure.

Originally designed to address the information overload caused by IDSs and firewall logs, SEM systems have extended their mandate to include switch and router logs, vulnerability scans, and OS and application logs.

While SEM systems still emphasize log correlation, vendors are adding new functions such as real-time incident response and long-term data storage. Other products are blending network behavior anomaly detection and real-time passive network monitoring with log correlation to provide insight into activity on the network and monitor changes to essential business assets. These new features can help security architects better respond to attacks and unusual events, meet the demands of compliance reporting, and more quickly detect unwanted changes to critical business systems.

Each specialty has distinct architectural requirements and will present its own set of pros and cons. Security architects who fail to account for these requirements risk purchasing and deploying an expensive and complex system that doesn't actually meet their needs.

A SEM system also represents a significant and long-term investment of money and people power. Over the lifetime of the system, enterprises will find themselves feeding it more computing resources, including database capacity, event collectors, and offline storage. The more information sources you can direct to your SEM system, the more value you can wring from its correlation and analysis functions. Thus it's essential to plan out the capacity of any solution to ensure that it can meet today's and tomorrow's data needs.

A SEM system must aggregate, normalize, and correlate events from disparate products that would otherwise require manual gathering and review. This is the original value proposition of SEM and remains a cornerstone deliverable, regardless of whether you choose a SEM system for real-time incident response and attack mitigation or long-term auditing and compliance reporting.

"If you've got all this data dropping on the floor and not being looked at, then there seems to me to be some level of negligence," says Tim Maletic, information systems security officer at Priority Health, a Michigan-based health insurance provider. He deployed ArcSight's Enterprise Security Manager to get a handle on almost 3 million events generated every day by security devices.
He says before the installation he and his staff would have to manually reconcile IDS and firewall logs, a task complicated by the fact that the IDS, which was observing outbound traffic, was outside the firewall. That means the source address on every IDS log was the NAT address of the firewall, making it difficult to determine the actual source of the event.

"Now it's a trivial exercise," says Maletic.

SEM products have greatly expanded the kinds of information they can accept. In addition to information from firewalls, IDSs, VPNs, and other security products, SEM systems can absorb switch and router logs, vulnerability assessment data, NetFlow and sFlow information, OS and application logs, and so on.

The result is that architects can configure a system to correlate and analyze ever-greater volumes of information. "I'm a big proponent of collect everything," says Erik Hart, vice president and information security officer at Cole Taylor Bank, a Chicago-based commercial and personal banking chain with $2.9 billion in assets. He has approximately 175 devices and applications feeding upwards of 5 million events a day into a SEM solution from Network Intelligence.

source : http://www.networkcomputing.com/showArticle.jhtml?articleID=172302124

Security information management enhanced features

Mike Rothman

Security information management (SIM), sometimes called security information and event management (SIEM), has been a problematic security category for years. In a nutshell, this segment of the information security market has featured products that strive to collect and analyze security events, ideally detecting malicious activity. Plagued by expensive and integration-heavy implementations, SIM products and vendors have never lived up to their promise, taking millions of venture capital with it.

Yet, if you look at SIM from a security professional's perspective, the idea of integrating and correlating security information from a variety of data sources is compelling. Just think: How great would it be to look at one screen, or one dashboard, and be able to pinpoint problems, maybe even before they occur?

SIM technologies of the past had their shortcomings, and unfortunately many end-users learned this the hard way. One problem is the overactive nature of SIM; its inputs, like firewalls and IPS devices, are inherently noisy. If the inputs are rife with false positives, it has historically been difficult for SIM offerings to provide actionable information without a tremendous amount of experimentation and tuning.

Also, SIM products seem to address problems after it's too late; by the time information is correlated from log files, the attack has already happened. And in today's environments, where attacks can proliferate throughout the world in a matter of minutes, playing catch-up can be crippling.

But all is not lost, and SIM is not dead yet. In fact, the idea of security management is transforming, and this evolution may bring some new life to SIMs. Combining SIMs with a few other technologies may actually make for an effective systems-based approach to security management.

First, security management is increasingly being integrated with network behavior anomaly detection (NBAD), providing pseudo real-time visibility into what's happening on your network. Not in a few minutes or seconds, but right now.

To be clear, "pseudo" real time is not exactly real time. The inherent nature of attacks, especially zero-day attacks, make it impossible to be truly proactive in protecting an environment. The goal with network behavior anomaly detection, however, is to shorten reaction times. Also, by defining thresholds based on abnormal behavior, NBAD products can trigger a more specific analysis and contain damage more effectively.

With NBAD, security professionals are not exclusively looking in the rear view mirror, trying to figure out a disaster that's already happened. Because of the technology's faster reaction times, network behavior anomaly detection is poised to break out in 2007, especially if it's integrated with the SIM software sitting on your shelf.

But that's not the only way SIM is morphing in front of our eyes. When a security incident happens in an organization, it's important to have controls in place so that a similar mess doesn't occur in the future. With many SIMs, however, such preventative responses are difficult to make. During the performance improvement process, security data is often normalized and manipulated, making it useless for forensic purposes.

With early SIM products, the raw log files were altered to facilitate insertion into a database and provide data reduction; this optimized the use of space. It was important when SIM first hit the market 5 or so years ago, as the technology was not fast enough to store all the data in a forensically clean way, and the problem being addressed was event correlation, as opposed to compliance or forensics.

Ergo, the emergence of log management products. These purpose-built boxes quickly gather log data from a variety of different devices, and they do so in a forensically clean way, maintaining the integrity of the data, so it can be easily analyzed for forensics and compliance purposes, although not necessarily for real-time management. This log management data, though, will hold up in a court of law.

Security management is evolving from one generation to the next, and with that transition, there will inevitably be some carnage. Aggressive vendors have chosen to either focus on offering pseudo real-time management capabilities or log management functions. But even if your vendor is a bit of a dim bulb, it's still possible to integrate many of these solutions together yourself and get your desired results. In fact, that's addressing problems before they become problems.

So what makes the most sense for you? It gets back to what problem you are trying to solve and also being a bit understanding of the sunk cost of an existing implementation. Many organizations have spent a lot of time and money to make SIM work for them, and there is no reason to dump that investment. You may need to supplement an existing product with log management or NBAD, but that's OK.

But if you don't have anything in place now, it makes sense to focus on the products that can offer both a forward, as well as a backwards look at your networking environment. There is no need to compromise if you are playing in a green field.

About the author:Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com/, read his blog at http://blog.securityincite.com/, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.

source : http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1247084,00.html?bucket=ETA&topic=299841

Introduction

Security is the condition of being protected against danger or loss. In the general sense, security is a concept similar to safety. The nuance between the two is an added emphasis on being protected from dangers that originate from outside. Individuals or actions that encroach upon the condition of protection are responsible for the breach of security.

Management comprises directing and controlling a group of one or more people or entities for the purpose of coordinating and harmonizing them towards accomplishing a goal. Management often encompasses the deployment and manipulation of human resources, financial resources, technological resources, and natural resources. Management can also refer to the person or people who perform the act(s) of management.

Security management is an important part in any company in the IT industry. Even apart from the IT industry any company that uses many systems, devices, and computers would need proper security management. To conduct the business effectively, you need to know the users of your systems properly and you have to give them exclusively rights to some resources depending on the position they occupy in your company. Hence controlling the access rights is also very important. Moreover if there is any threat to your resources or if there is any threat in the sort of violation of the rights given for a particular user you must me intimated of that as soon as possible. This enables you to take early remedies and to prevent any such events in the future.

Security information management (SIM), sometimes called security information and event management (SIEM), has been a problematic security category for years. In a nutshell, this segment of the information security market has featured products that strive to collect and analyze security events, ideally detecting malicious activity. Plagued by expensive and integration-heavy implementations, SIM products and vendors have never lived up to their promise, taking millions of venture capital with it.

sources : http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1247084,00.html?bucket=ETA&topic=299841
: http://www.management-hub.com/
: http://en.wikipedia.org/wiki/Security
: http://en.wikipedia.org/wiki/Management