A slew of security event management vendors are set to offer products that address everything from how security problems affect applications to ensuring network devices comply with internal and regulatory policies.
ArcSight, Network Intelligence and Open Service each will release product upgrades that promise to help enterprise IT managers get a handle on the security events across their networks. SEM products, sometimes referred to as security information management (SIM) tools, automate the collection of log data from security devices and help users make sense of it through a common management console. These tools usually consist of software, servers and agents, or probe appliances, depending on vendor.
SIM products use data aggregation and correlation features similar to those of network management software and apply them to logs generated from security devices such as firewalls, proxy servers and intrusion-detection systems (IDS), and from anti-virus software. SIM products also can normalize data - translate Cisco and Check Point alerts, for example, into a common format so the data can be correlated.
The technology promises to ease the burden of security staff trying to make decisions from raw log data collected off network and security devices across large corporate networks. Vendors are attempting to do more than automate the tedious tasks and provide customers with more information on what security events could mean, how they could affect business applications and when systems could be out of compliance with regulatory standards.
For its part, Network Intelligence this week will announce enVision 2.1, which includes features to correlate security log data to business assets, such as groups of users, geographic locations and server farms, as well as additional storage capabilities to ensure raw security data is saved and backed up according to compliance policies. The company also introduced a GUI to add intelligence to reporting and put security incidents into a business perspective.
When coupled with a vulnerability scan, enVision could quickly show that, say, an office was experiencing a security problem, such as a downed firewall, without having to understand the complexities of firewalls and IDSs.
On top of regulations
Company executives say compliance modules added to the product could help companies stay on top of regulatory requirements. EnVision 2.1 also can take advantage of an add-on storage array the vendor released last month. The SIM add-on storage array sits behind Network Intelligence's LS, ES or HA security appliances, and protects and compresses data stored on it. The company's latest release is priced at $20,000, $80,000 or $200,000, depending on the number of devices managed.
Network Intelligence also added capabilities that let software spot anomalies in security and network traffic, similar to products from Lumeta and Q1 Labs. The traffic-monitoring capabilities would let software alert security staff to problems before they happen.
"For example, instead of asking the user to build rules to look for something specific, the product will look for subtle anomalies on its own, using its knowledge of what is normal based on traffic source, destination, payload and users," says Matt Stevens, president of Network Intelligence.
OpenService in its Security Threat Manager 3.0 also includes capabilities to correlate security alerts with business users, applications and assets. The latest revision of the product will map threats to pre-defined business assets in near real time, and provide a trend perspective to help security managers determine their most vulnerable spots and start to secure them, for example.
The feature also will point out to security staff at a manufacturing company if a security problem will affect the continual process manufacturing, which is critical to the business and therefore needs immediate attention.
Essentially, OpenService says it's trying to add more intelligence to its alerting and correlation engine. In the past, the product would collect alerts and filter our redundancies, and now the company says Security Threat Manager can help IT staff prioritize responses to incidents based on pre-defined business policies. The vendor also added platform support to include Linux.
"We needed a tool that could identify and extract all relevant data from our firewalls, IDSs, routers, switches and so on," says Adam Hansen, manager of information security for the law firm Sonnenschein, Rosenthal & Nath in Chicago. "We wanted to see our security events related to the network and vice versa."
Hansen uses Security Threat Manager (a beta version of 3.0 is currently in the firm's labs), but the business intelligence feature isn't as much of interest to him as the product's ability to say, "Hey dummy, look at this. This is where the problem is," he says.
For Hansen, four full-time staffers and one consultant wasn't enough to keep up with the logs on more than 100 managed devices. He couldn't hire anyone, so he purchased a new product that he says reduces manual work and does some of the thinking for him.
"It prevents us from having to figure out that a bunch of events from different devices are all caused by one thing," he says.
Yet the product isn't plug and play. He says he took the time to get the agents pushed out to managed devices and runs regular checks to ensure it's tuned to his network. He also worked with the vendor to get more open source and vendor-specific information, such as Check Point firewall metrics or Cisco switch data, into the product.
Entry-level pricing for Security Threat Manager is priced at $50,000, with the average implementation costing about $100,000. Price depends on the number of devices and data collection points monitored.
Separately, ArcSight last week introduced a software product the vendor says will help customers store and retrieve security data.
ArcSight SmartStorage uses the partitioning available in enterprise database systems such as Oracle and provides a customized algorithm for information that is no longer needed in real time. When a partition reaches the end of its real-time life, it is automatically compressed and stored on the same physical volume, but in a much smaller state. If that partition is needed for investigation, audit or reporting, it can be recalled via the console and reintroduced to the live data set. When the partition is no longer needed, it can be sent back to the compressed archive.
ArcSight SmartStorage is part of the basic ArcSight 3.0 Security Information Management software system. It is not priced separately. Overall ArcSight pricing starts at $50,000 and can go up to $200,000.
Not so simple SIMSecurity information management isn’t just about collecting log data anymore. Vendors add more features to help users get more from their security management tools.