|
|
 |
home > September 10, 2007 issue > article
|
|
 |
|
| Rich-Joseph Facun/WPN |
|
| “We were just trying to handle the data crush from the IDSes.” – Jim Granger, Navy Cyber Operations Command |
|
Still on alert
By John Moore
Special to Defense Systems
Event management technology continues to struggle with the exploding amount of security data
It’s a classic case of too much of a good thing.
Security systems and network devices generate vast amounts of data on events that could spell trouble for an organization. Firewalls, intrusion-detection systems, intrusion-prevention systems, routers and switches all have security tales to tell. That story is written on event logs, or activity logs, that provide details on the type of event.
But here’s the rub: Collectively, the various systems collecting data churn out, in the case of some large enterprises, hundreds of thousands of events each day. An individual security analyst can deal with, at most, 1,000 events on his or her daily watch, according to a white paper from the SANS Institute, which pursues information on security training and research.
The event data deluge confronted the Navy Cyber Defense Operations Command in the late 1990s as the unit began monitoring intrusion- detection systems, said Jim Granger, technical director of the Navy command.
An intrusion-detection system detects and reports suspicious activity in networks or host computers, generating loads of data in the process. In the Navy’s case, operators working at consoles became overwhelmed with the data.
“We were just trying to handle the data crush from the IDSes,” Granger said.
In recent years, a handful of technology approaches have emerged to deal with the data deluge. Security event management (SEM) systems provide real-time alerts on the status of network infrastructure, said Nick Selby, who analyzes security at The 451 Group, a market research firm.
Security information management (SIM) products offer real-time alerting and also provide an archive of previous events that may shed light on current happenings. A log management system, meanwhile, collects event logs from multiple systems for immediate analysis or long-term archiving.
The lines between the various approaches blur, however. Similarities between SIM and SEM have led to the creation of a hybrid category — security information and event management, or SIEM. Some analysts contend that SIM and log management are one in the same, while others believe the technology categories remain distinct.
Where does this leave the customer? The Navy command’s exploration of technology options led it to craft a solution using Novell’s Sentinel SIEM product and a data warehouse built with analytical components from the SAS Institute. The service’s Prometheus system has been around for a couple of years, but refinement continues. “It’s a growing and evolving capability,” Granger said.
Organizations that don’t want to integrate their own solutions can purchase commercially available products. Going forward, buyers can expect greater analytical capabilities in vendor wares and software-as-a-service delivery models.
Current use
SIM systems and related technology have been promoted as real-time tools for flagging security incidents. And although this is indeed a continuing thrust for such products, security compliance demands have upstaged the early-warning application to some degree.
“Compliance is the major gremlin that is causing people to buy this stuff and the reason you get the discussion going,” Selby said. He said vendors in all product categories lead with their compliance abilities to get the sales process started.
Log management, in particular, has become a tool for compliance, as federal directives call for agencies to keep and review logs. The National Institute of Standards and Technology’s Guide to Computer Security Log Management recommends that organizations create a log management infrastructure — hardware, software, networks and media — to store and analyze log data.
“Organizations…may store and analyze certain logs to comply with federal legislation and regulations, including the Federal Information Security Management Act…,” the NIST guide states.
FISMA isn’t the only regulation that requires log maintenance. In the intelligence and defense sector, the Director of Central Intelligence Directive (DCID) 6/3 also contains guidelines for log monitoring.
“Log management is rising as a product category,” said Alan Paller, director of research at the SANS Institute. He cited customer interest in generating log monitoring reports for compliance purposes.
Log management vendors such as LogLogic and LogRhythm specifically target compliance as a key application for their wares. LogLogic, which collects, analyzes, and archives log data, offers a Compliance Suite. The suite, according to the company, “automates the process of using log data to evidence and enforce polices outlined in FISMA.”
“There’s a lot of interest in using log data as the foundation for the compliance frameworks,” said Andrew Lark, chief marketing officer at LogLogic.
LogRhythm also aims to help customers comply with FISMA and other regulations that require log data collection. SenSage, which bills its product as an event data warehouse, provides a mechanisms for “meeting the auditing requirements under DCID 6/3,” the company reported.
SIM and SEM vendors also pursue compliance, with some developing separate products to focus on this application. ArcSight, for one, launched a log management product last year.
“We’ve seen enough demand now…in both the public and private sectors that we came out with a dedicated product,” said Hugh Njemanze, ArcSight’s chief technology officer.
ArcSight Logger sits in from of the company’s SIM system, capturing the logs needed for compliance.
John Worrall, vice president and general manager of RSA’s Information and Event Management business unit, said compliance has accelerated the market. Compliance represents the majority of the company’s SIM business, he added.
Netforensics, also in the SIM space, markets Log One as the company’s answer to logmanagement.
“The primary drivers are compliance and forensics,” said Tracy Hulver, vice president of marketing and product development at Netforensics.
Overall, the ability to centrally manage log data — whether through log management systems or SIM — provides organizations a leg up when it comes to meeting compliance requirements. The Navy Cyber Defense Operations Command uses Prometheus’ data store to support the service’s compliance efforts, which include FISMA and DCID 6/3, Granger said.
Early warning vision
Vendors, however, have not abandoned the SIM/SEM/SIEM vision of real-time threat monitoring. Njemanze cited interest in SIM as a detection tool and compliance solution. “We see an increase in demand for both sides,” he said.
Worrall said the past six months have seen an uptick in SIM as an early warning system. He said customers seek the ability to correlate event data across various security systems, relate that data to vulnerability information, create a prioritized list of incidents and manage the resolution of those incidents.
“Large organizations are investing more in the technology to have a better, more effective security operations center,” he said.
A security operations center, or SOC, serves as the hub of an organization’s IT threat monitoring and detection capabilities.
Paller, however, questions how effective SIM has been as an early warning system. He said the technology shift that needs to take place involves moving SIM from a tool that provides a picture of the security landscape to one that provides actionable data. “The question is, how is that going to happen,” Paller said.
Paller said the few cases in which SIM has been deployed as an early warning system required heavy customization on the customer’s part. A customer needs to create custom filters to flag a particular pattern.
“They write filters and the filters are looking for a certain set of characteristics,” Paller said. He added that solutions out of the box lack a “depth of understanding of the types of attacks that people are looking for.”
Vendors acknowledge SIM calls for customization but contend that products capture most of the necessary functionality without tweaking.
“In every single case, there is always a requirement for custom alert rules, custom correlation rules,” Worrell said. But the majority of the correlation rules come out of the box with RSA’s Envision product, he said, adding that the amount of customization varies from site to site.
Hulver said Netforensic’s SIM platform, soon to be renamed SIM One, typically takes a week to get up and running. He said the product ships with rules out of the box, but always requires tailoring.
At ArcSight, Njemanze said the company’s initial thrust was to provide authoring tools that customers or their contractors could use to build SIM capabilities. About two years ago, ArcSight began creating shrink-wrapped applications on top of its core SIM products. One package aims to help customer deal with insider threats, for example.
Another knock against commercial products focuses on their analytical capabilities.
Granger said standard SIM offerings have trouble handling the “long-term data storage and analysis piece.” The Navy Cyber Defense Operations Command, which maintains several years’ worth of data, tapped SAS’ Intelligence Platform as the analytical component of Prometheus.
“SAS was incorporated to use business intelligence analytical algorithms, conduct data mining, run the data warehouse, and do data translation — functions that most SIM offerings don’t do very well,” he said.
Joe Zilka, technical architect at SAS, said the Navy chose SAS for its ability to store and analyze large volumes of data. He said Intelligence Platform is geared toward historical analysis of sizeable data stores.
The ultimate goal of this historical analysis is to let organizations predict attacks based on the tell-tale signs of previous incursions. Industry and government researchers are attempting to improve SIM’s analytical capabilities.
Zilka said SAS scientists are exploring how to apply analytics to IT security. One investigation involves determining whether credit card fraud-detection algorithms can be applied to network security traffic, he said.
As the nature of solutions change, so will the delivery method. At the 451 Group, Selby said he sees an accelerating trend toward offering security management services and SOCs on an outsourced basis.
One limitation of SIM has been that the solutions have been too complex for all but the largest organizations to deploy, some observers say. But larger service providers, Selby said, “can leverage the highly sophisticated, real-time correlation capabilities.”
Meanwhile, outsourced SIM is already available. Unisys operates a SOC that employs ArcSight’s SIM software. That center serves six federal customers, but none in the defense sector, said Nathan Shanks, the team lead of security analysts at Unisys.
The SOC churns through 1.5 billion normalized events a week, according to Unisys. The normalization process dumps unnecessary log columns, so the number of raw events is higher still.
That’s not the data volume most organizations will encounter, but it symbolizes the mountain SIM and related technologies are attempting to climb.
|
|
|
|
![1105 Media [justice]](/images/ds1_pntmlogo.gif "1105 Media [justice]"){kind=small}
