Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
Microsoft details 'Windows on ARM' program
March debut of 'iPad 3' a sure bet, says analyst
FBI unbolts Steve Jobs 1991 investigation file
Cisco boosted profit, sales in Q2 while cutting costs
Macs take on the enterprise
Four crazy tech ideas from Google's Solve for X project
Obama 2012 campaign playlist revealed courtesy of Spotify
Oracle buying Taleo for US$1.9 billion in direct hit at SAP
Amazon attacks Apple: You get 3 Kindle products for price of iPad 2
Pre-rendered pages highlight latest Google Chrome release
Microsoft exec: Lync-Skype integration a 'compelling opportunity'
The future of hypervisors
/

Users shoring up net security with SIM

Today's breaking news
Send to a friendFeedback

By Denise Dubie
Network World, 09/30/02

Matt Speare estimates that it would require a staff of nine to monitor just one security event console consolidating logs from 30 devices 24-7 on his network at Ohio Savings Bank in Cleveland.

"And that's including weekend coverage, with no breaks, no lunch and no sick days," he says. Speare, director of IT risk management at Ohio Savings, quickly does the math again and concludes, "Obviously, that type of round-the-clock management with staff is cost-prohibitive."

To address the problem, Speare turned to security information management (SIM) software, an increasingly popular type of product designed for automating the collection of event log data from security devices and helping users make sense of it through a common management console.

Ohio Savings uses netForensics' Security Information Platform, which cost it about $55,000 in hardware and software to install - half of what Speare estimates it would have cost the bank to outsource its security management.

"There's a huge return on investment for us," he says.

Spelling out SIM

SIM products use data aggregation and event correlation features similar to those of network-management software and applies them to event logs generated from security devices such as firewalls, proxy servers, intrusion-detection systems and antivirus software. What's more, SIM products can normalize data - that is, they can translate Cisco and Check Point Software alerts, for example, into a common format so the data can be correlated.

Like network-management software, SIM tools generally consist of server software, agents installed either on servers or security devices, and a central management console.

SIM providers range from smaller companies such as netForensics, Network Intelligence, GuardedNet, Intellitactics and OpenService to more established players such as Computer Associates, IBM Tivoli, Micromuse and NetIQ (see related story).

Charles Kolodgy, Internet security research manager at IDC, says companies have lots of choice when it comes to SIM: Vendors find the market attractive in that IDC estimates it is worth $15 million today and is set to quadruple to $61.3 million by 2005.

But he warns that many products are immature.

"These tools are great to collect and correlate events, but they offer little control over the security infrastructure," he says.

While vendors have adopted the SIM moniker, industry analysts prefer to call most of the products security event managers. Pete Lindstrom, a research director with Hurwitz Group, says the latter better describes what the current software offerings actually do, while SIM refers to a broader set of tasks the tools eventually should evolve to perform.

Real-world experiences

Charles Watson, data network specialist for Cellular South in Jackson, Miss., says his netForensics software actually pinpointed vulnerabilities in his network upon installation. Apparently, some end users unwittingly had tapped into open ports unbeknownst to the security staff.

"We had no idea those ports were open until the software pointed it out," Watson says. Because netForensics "logs everything," Cellular South could plug those holes and prevent a possible security breach - "and without running around to each server," he adds.

Keeping it SIMple
Early adopters of security in-formation management (SIM) products say such offerings must:
Correlate security events in real time.
Collect and filter alarms from a large variety of firewall, intrusion- detection and other security systems.
Include an easily scripted agent to add support for other security systems.
Require little configuration to start collecting events.
Boast strong reporting features.
Perform their own security functions, such as pinpointing network vulnerabilities.

While Speare and Watson reported relatively easy SIM implementations, Jeffrey Hormann says the software requires a fair amount of upfront work.

Hormann, director of technology operations at Metromedia Fiber Network in White Plains, N.Y., says it took him about a month to get e-Security's e-Sentinel software product operational on his network. "It's not out-of-the-box ready to go," he says. "It took a bit of effort to get it rolled out [and customized]."

Yet Hormann says e-Sentinel has saved him from hiring a dozen security specialists and lets him offer more services with a downsized staff.

SIM users and industry watchers agree that while the software can serve as an extra set of eyes across security devices, the tools need to evolve to take corrective actions.

"Security event managers want to be smart and to ultimately move toward being able to prioritize assets and applications without much configuration from users," Hurwitz's Lindstrom says. "We're probably one or two generations of software away from policy- and configuration-based security information management software."

RELATED LINKS

Contact Staff Writer Denise Dubie

Other recent articles by Dubie

NetIQ upgrades security management tools
NetIQ next month will boost its security information management offering by enabling it to collect data from a wider selection of vendors' security products and by improving its reporting capabilities.
Network World, 09/30/02.

Error 404--Not Found

Error 404--Not Found

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

10.4.5 404 Not Found

The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.