Tools address security concerns

Faced with regulatory compliance requirements and grueling audits, network managers are turning increasingly to security-event management systems to detect when policies have been breached.

SEM products – from e-Security, Network Intelligence, ScriptLogic, TriGeo and others – have data aggregation and event correlation features similar to those in network management software. These products automate the manual process of collecting event-log data from file systems, security appliances and other network devices such as firewalls, proxy servers, intrusion-detection systems, routers and switches, and anti-virus software.

With upgraded releases, the vendors are separately augmenting their suites with advanced reporting, additional storage capacity and new form factors to enable smaller customers to roll out SEM tools.

E-Security and Network Intelligence are set to unveil this week their latest products at the RSA Conference. E-Security has taken the technology of its Sentinel enterprise-level software and put it into an appliance – the Sentinel AP – designed for faster installation and easier ongoing maintenance by small to midsize customers or remote-office deployments. Network Intelligence is adding a module to its EnVision software suite that will let customers get security events, compliance statistics and reports via a management dashboard. ScriptLogic last week introduced File System Auditor, software that helps customers collect file-system logs and compare changes or actions against preset policies.

“The learning curve for security management tools is so steep that these vendors will have to continue to broaden their reach with security controls and IT policies,” says George Hamilton, director of enterprise computing and networking at The Yankee Group.

Industry watchers speculate that SEM vendors and the IT duties the software performs will be absorbed eventually by larger management and security vendors – for example, IBM acquired Micromuse, which had earlier acquired GuardedNet. They also say that for the time being, specialized SEM vendors offer a much-needed technology. “Everyone is suffering from compliance fatigue right now, and it’s driving SEM purchases, because people have the budget to address that immediate concern,” Hamilton says.

According to The Yankee Group, the security industry overall generated about $12.9 billion in revenue in 2004, and of that, SEM accounted for a modest $250 million. However, the research firm projected that by the end of 2005, SEM would grow by more than 30% to be a $330 million market, and that in 2008 it will be an $800 million market.

Dan Guerra, systems manager at the Archdiocese of Boston, uses File System Auditor to collect data on files being accessed across his Microsoft Windows and IBM environment. His organization provides benefits to many organizations, and he says it must comply with the Health Insurance Portability and Accountability Act (HIPAA). File System Auditor, which runs in the file system driver, lets him collect data in a centralized location on those trying to access file systems. The software also helps him follow up on the policies that may have been breached.

“We have to provide the inspectors with a source of accountable information on how we protect personal data for our members and those we provide benefits for, based on HIPAA. Without this tool, we would have no way to track the abuse of those files,” Guerra says. He adds that he’d like to see similar support for his IBM Unix systems as ScriptLogic addresses Windows systems.

Others facing regulatory deadlines have turned to SEM products to ease the burden of data collection and storage.

“Being in the financial industry, using [TriGeo’s Security Information Management appliance] has made it easier for us to prove we are monitoring our environment in line with industry standards for security,” says Robert Martin, vice president and Southwest region security officer for Fiserv, a provider of technology solutions to financial companies in Houston. “TriGeo helped us get a handle on all the information coming off of our network device logs and also had the reporting capabilities we needed in our regulatory environment.”

The appliance arrives at customer sites preloaded, and customers then plug it into the network. The appliance generates reports according to customer specifications, which can be based on time, individual devices or groups of users.

TriGeo says in the first quarter of this year it will release an upgrade of Security Information Management that uses 64-bit technology for greater speed and performance than were possible in the 32-bit version; it will also add capabilities to USB-Defender, a new product the company says aids in protecting and shutting down unauthorized jump drives. USB-Defender will be integrated into the next release of Security Information Management to offer customers removable-storage management, TriGeo says.

For Martin, TriGeo helps him use fewer tools to monitor critical devices and actions on the network. He says it’s important that an SEM vendor be able to support as many devices as possible from companies such as Check Point, Cisco, Internet Security Systems and Nortel, to ensure that customers don’t have to use multiple tools to monitor security events and logs. “You need to have an accurate inventory of what you have before you choose a SEM product. If the SEM vendor can’t monitor all your devices, you will need to collect the data manually or use more than one tool. I’m not sure how cost-effective those options are,” he says.