Security central

Like many large organizations, the U.S. Department of Energy has individual security teams at about a dozen major sites across the country. Armed with a variety of security tools, the teams do a good job of protecting the DOE from unauthorized cyberintruders. Still, the agency feels that centralizing security device management could put an even stronger lock on the DOE's network, says Dan Pitton, special assistant to the CIO of the DOE's Environmental Management Division.

Working toward that goal, the agency has employed e-Security's Open e-Security Platform, which is intended to aggregate and correlate alerts from multiple, distributed security products. The idea is to gain "situational awareness," Pitton says, so an administrator can identify in real-time events such as an attack from the same source IP address that targets multiple DOE sites simultaneously.

"That is of enormous value to us as opposed to getting a report that's a week old," he says. "We can shut down attacks before they do any damage."

While e-Security began espousing the idea of centralized security management three years ago with its product introduction, the concept of a security event manager — also known as security information manager and security device manager — is only now gaining momentum. A number of competing start-ups have emerged, including ArcSight, GuardedNet, Intellitactics, Mountain Wave (recently acquired by Symantec), netForensics, Network Intelligence (formerly OpenSystems.com) and OpenService (recently merged with Response Networks).  Established players, notably IBM Tivoli, also have entries in the game (See box).

Defining the category

Products that fall into this category must do three things, says John Pescatore, research director for Internet security at Gartner, which prefers to use the term security device management. First, they should monitor security devices from multiple vendors and normalize the data they churn out. Normalization is no easy task, given that different vendors express and report the same data in different ways. An emerging Internet Engineering Task Force standard — the Intrusion Detection Message Exchange Format — promises help for intrusion-detection systems (IDS), which are a major pain point, but vendors are only now starting to comply.

Next, they should aggregate the data, and in the process reduce its volume by weeding out multiple alarms that pertain to the same event. Finally, the products should correlate alarms coming from different sources, to find the most serious problems.

"Most of the products do normalization and aggregation/reduction," Pescatore says. "They do very little real correlation."

Still, the normalization and data reduction functions are valuable, especially for companies that have at least 10 to 20 IDS sensors. "We see most of these products being bought by companies that are drowning in IDS alerts," Pescatore says. "This market exists because of intrusion detection."

Pete Lindstrom, a director with Hurwitz Group, is a bit more bullish in his assessment of the security event management market. "It's hot, it's interesting, it's important," he says.

But nobody is willing to suggest that a security event manager will, on its own, point out intrusions as they happen. As with IDS and other existing tools, experienced security professionals need to write the rules that help the systems pinpoint events that indicate a serious security breach.

"The question is, does the tool help you pick out patterns?" Lindstrom says. "It's got to help you do that. Then you can start looking for relationships," and writing effective rules.

Mark Milatovich, director of information security for application service provider Corio, is using the ArcSight platform, which he says can recognize a port scan and reduce it to one alert. A network IDS, on the other hand, might generate hundreds of alerts from a port scan. A customer could then build in an additional rule to have ArcSight trigger an alert when it detects a port scan happening on two IDSes, signaling a potentially dangerous, distributed, slow scan.

"We're really excited about it. It represents a critical piece of our overall security model," Milatovich says.

Such features are even more valuable when tied to vulnerability-assessment data, Lindstrom says. In that case, the tool can alert users when an attack is launched against a system that is indeed vulnerable to the type of attack under way. Conversely, the platform would be smart enough to ignore attacks against systems that were not vulnerable to the type of attack in question (see story "Containing vulnerabilities").

"That's not really working in these products," says Pescatore, noting that he doesn't expect the products to come close to addressing such issues until the end of 2003.

DOE's big bet

In the meantime, customers appreciate the benefits the platforms already deliver.

While each DOE site has its own firewalls, IDSes and the like, the organization has more than 1,000 licenses for the RealSecure IDS from Internet Security Systems (ISS). So the DOE is focusing initially on collecting alerts from those IDSes, Pitton says.

The events business

In Phase 1, which ran from early June through August, ISS sensors located in three buildings within the DOE headquarters complex fed event data into a central e-Security platform. Now in Phase 2, which will run through year-end, the DOE is adding event data feeds from Environmental Management sites in Idaho Falls, Idaho, and Rocky Flats, Colo., thus further extending the situational-awareness concept.

"We're looking at two to three years for a rollout to about a dozen key DOE sites, which will pretty much give us tactical situational awareness coast to coast," Pitton says.

Eventually, the DOE would like to use the e-Security platform to feed security data into a Web site accessible by any other federal agency that connects to the DOE net, Pitton says. The idea is to establish a level of trust among different networks, so each can see the security level of the others, and alert each other to problems as they crop up.

 But getting alerts is only half the battle, says Herbert Mattord, who until early August was manager of information security for manufacturing giant Georgia-Pacific in Atlanta. Users also must have processes in place to deal with the information a security event manager generates.

"If you're an established security organization, . . . [security event management] may be the next bridge to cross," says Mattord, who is now an adjunct professor of computer science at Kennesaw State University, in Kennesaw, Ga. "If not, it will be a waste of money."

Just before he left Georgia-Pacific, Mattord evaluated PentaSafe Security Technologies' new VigilEnt Intrusion Manager, which collects alert data from other PentaSafe products as well as from Cisco and ISS IDSes, and firewalls from Check Point Software Technologies and Cisco. Georgia-Pacific was already using other PentaSafe products, which focus on security policy, password and security-vulnerability management.

PentaSafe focuses on building in correlation rules, reasoning that most users want them prepackaged, but also allows for rule creation. Mattord found the latter more appealing than the idea of using canned rules. The PentaSafe rules are "common-sense, good-faith tries," but nobody knows better than internal people the best rules to use, Mattord says.

The DOE also likes to write its own rules, although the process is arduous with e-Security's rules interface, Pitton says. He notes that he is looking forward to trying out a new version, now shipping, that is supposed to address the shortcomings and provide a number of predefined correlation rules that users can toggle on and off.

No free lunch

To varying degrees, security event management vendors are addressing many of the shortcomings that analysts have been citing for some time. These include a lack of scalability and inordinate processor and storage requirements that drive up installation costs.

In terms of scalability, Corio's Milatovich foresees no problem with ArcSight being able to handle his company's phalanx of firewalls, routers, VPNs, antivirus software and IDSes, all of which constantly log security events. "That's a lot of logging, millions and millions of events," he says. He points to ArcSight's "industrial base," including its use of an Oracle database. Similarly, Mattord says Georgia-Pacific uses PentaSafe products to handle 1,200 servers.

Storage requirements vary depending on whether the vendor's approach calls for keeping all log data, or just the data it deems relevant. Customer requirements also play a role; a company that wants to see historical reports covering a 90-day period will need far more storage than one that deems 30 days to be sufficient.

Hardware costs are a consideration for software-only security event managers. While a low-end Network Intelligence appliance starts at around $18,000, a typical installation of OpenService's software costs about $100,000 for larger companies. Similarly, an entry-level installation of e-Security's software, capable of monitoring 20 devices, costs $95,000.

"There's no free lunch in life," Milatovich says. "But the benefits far exceed any initial setup costs."

Desmond is a writer, editor and president of PDEdit, an IT publishing company in Framingham, Mass. He can be reached at paul@pdedit.com.

Technology Insider: Network-based intrusion-detection systems
Our monthlong test of eight of these products show that setting up IDSes requires a substantial time investment to ensure they'll flag only suspicious traffic and leave everything else alone.
Network World, 06/24/02

Buyer's Guide: Vulnerability-assessment tools
Vulnerability-assessment tools edge toward usefulness in large networks.
Network World, 02/04/02

Defending the extended enterprise
Are firewalls enough? Should you invest in a bundled security product? What type of security planning should you undertake? We explore what it takes to secure your changing enterprise in this special report.
Network World, 07/29/02

Security research center
Get the latest news, alerts, opinions, reviews and more.