Security Event Management Gets Specialized 1

By Andrew Conry-Murray

SEM technology is moving beyond log correlation to help architects mitigate attacks, address compliance reporting needs, and monitor critical assets.

No human being, nor even a dedicated staff of IT professionals, could ever hope to make sense of the millions of discrete events being logged every day by security and network devices. Enter Security Event Management (SEM) systems. These products collect, correlate, and analyze the vast sums of data created by today's security infrastructure.

Originally designed to address the information overload caused by IDSs and firewall logs, SEM systems have extended their mandate to include switch and router logs, vulnerability scans, and OS and application logs.

While SEM systems still emphasize log correlation, vendors are adding new functions such as real-time incident response and long-term data storage. Other products are blending network behavior anomaly detection and real-time passive network monitoring with log correlation to provide insight into activity on the network and monitor changes to essential business assets. These new features can help security architects better respond to attacks and unusual events, meet the demands of compliance reporting, and more quickly detect unwanted changes to critical business systems.

Each specialty has distinct architectural requirements and will present its own set of pros and cons. Security architects who fail to account for these requirements risk purchasing and deploying an expensive and complex system that doesn't actually meet their needs.

A SEM system also represents a significant and long-term investment of money and people power. Over the lifetime of the system, enterprises will find themselves feeding it more computing resources, including database capacity, event collectors, and offline storage. The more information sources you can direct to your SEM system, the more value you can wring from its correlation and analysis functions. Thus it's essential to plan out the capacity of any solution to ensure that it can meet today's and tomorrow's data needs.

A SEM system must aggregate, normalize, and correlate events from disparate products that would otherwise require manual gathering and review. This is the original value proposition of SEM and remains a cornerstone deliverable, regardless of whether you choose a SEM system for real-time incident response and attack mitigation or long-term auditing and compliance reporting.

"If you've got all this data dropping on the floor and not being looked at, then there seems to me to be some level of negligence," says Tim Maletic, information systems security officer at Priority Health, a Michigan-based health insurance provider. He deployed ArcSight's Enterprise Security Manager to get a handle on almost 3 million events generated every day by security devices.
He says before the installation he and his staff would have to manually reconcile IDS and firewall logs, a task complicated by the fact that the IDS, which was observing outbound traffic, was outside the firewall. That means the source address on every IDS log was the NAT address of the firewall, making it difficult to determine the actual source of the event.

"Now it's a trivial exercise," says Maletic.

SEM products have greatly expanded the kinds of information they can accept. In addition to information from firewalls, IDSs, VPNs, and other security products, SEM systems can absorb switch and router logs, vulnerability assessment data, NetFlow and sFlow information, OS and application logs, and so on.

The result is that architects can configure a system to correlate and analyze ever-greater volumes of information. "I'm a big proponent of collect everything," says Erik Hart, vice president and information security officer at Cole Taylor Bank, a Chicago-based commercial and personal banking chain with $2.9 billion in assets. He has approximately 175 devices and applications feeding upwards of 5 million events a day into a SEM solution from Network Intelligence.

source : http://www.networkcomputing.com/showArticle.jhtml?articleID=172302124