Skip Links

Security information and event management: Finding the proverbial needle

We're getting closer to the day when making sense of and taking action on disparate security events get quick and easy

By , Network World
October 09, 2008 12:00 AM ET

Network World - Matt Roedell, vice president of infrastructure and information security at TruMark Financial Credit Union in Trevose, Pa., has a big dream for his layered security network: One day, his antivirus protection, firewall, intrusion-detection system and other security tools will use integrated, intelligent security-information and event-management techniques to stop fraudulent transactions.


This story is part of a special Security Trend Watch issue, in PDF format. Download now.


An early adopter and big believer in SIEM (also called security event management or security information management), Roedell believes the technology will reach its full potential only when it's integrated into application and network security tools. Today SIEM comes in the form of stand-alone tools that collect, correlate and analyze event logs across a security infrastructure. (Compare SIEM products.)

Roedell's wish is on its way to being granted, says Kelly Kavanagh, research analyst at Gartner. SIEM providers are making creative strides, moving from mere log collection to intelligent analysis, he says. As an example, he points to SIEM's newest use case: application-layer monitoring for fraud detection or internal threat management. Companies are putting SIEM alongside their traditional security tools to collect and analyze application-level events or transaction logs for the purpose of discovering transaction combinations that are indicators of fraud or misuse, he says.

Roedell calls SIEM, which has more than 20 competing vendors, one of the fastest-growing security markets, having a growth rate of more than 50% in 2006 and 30% in 2007, when estimated revenue topped $800 million. Large enterprise companies, such as CA, Cisco, EMC (its RSA security division), IBM, Novell and Symantec, have SIEM products, as do a host of smaller companies. These include ArcSight, High Tower Software, Intellitactics, LogRhythm, netForensics, Prism Microsystems, Q1 Labs, SenSage and TriGeo.

The first indications of the full integration that Roedell wants are starting to show up, too, Kavanagh says. Such companies as CA, IBM and Novell have started to bundle or integrate SIEM with other pieces of their portfolios, including identity-based access management; systems management; and IT governance, risk and compliance management offerings.

Agents on the loose

Roedell uses TriGeo's TriGeo Security Information Manager (SIM) appliance to determine the severity of threats to his company's security infrastructure. The agent-based TriGeo SIM correlates events, such as alerts about TCP port scans on the firewall or intrusion-detection system (IDS) anomalies, and sends a ticket to IT or mitigates the problem based on preset thresholds. For instance, it can end PC processes, shut down switch ports, add access lists to routers or make firewall configuration changes -- actions that otherwise would require someone to log on to each device and manually update it.

Using the SIM appliance to keep such close tabs on his security network not only has made vulnerability management much easier but also has improved compliance initiatives, Roedell says. "I can prove to auditors that [the SIM appliance is monitoring] just about anything with an IP address," he says. Compliance, nevertheless, is only one factor leading to enterprises' increased awareness and adoption of SIEM tools, Gartner's Kavanagh says. Their interest also can be attributed to the technology's maturity, the decrease in its deployment and management complexity, and the availability of affordable, easy-to-deploy SIEM appliances.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News