Frameworks coordinate security

Companies rely on a variety of security products, including firewalls and intrusion-detection systems, to monitor, investigate and report on the many types of security issues that are experienced each day. Typically these devices come from many vendors, as organizations seek best-of-breed products. But because each device type and vendor has its own message, log and console format, as the security infrastructure is built out, it becomes increasingly difficult to understand the output of individual or even groups of devices and assemble a complete picture of an organization’s threat profile.

To obtain maximum value from these heterogeneous devices, they must be assembled into a system that provides the necessary intelligence and tools to deal with millions of alarms and alerts per day. Security management frameworks provide a coordinated component set that collects security data from the network, puts it in a common format, stores it in a database and executes a range of analysis, display, response and reporting tasks.

A security management framework consists of software agents, server-based managers and consoles. Agents can be deployed on the security devices, network devices and applications that report security events at aggregation points or as listening posts for SNMP broadcasts. The agents forward the data to server-based managers that consolidate, filter and cross-correlate the events, using a rules engine and a central database. These managers report relevant information to consoles, where security professionals monitor events, receive notifications and perform incident investigation and response. Consoles are available as applications for dedicated workstations or via a browser-based interface for remote access.

Together, these components represent a complete framework for detecting and responding to security threats or attacks. One database stores all security events, and the console presents all security activity in a manner that can be responded to immediately, according to an organization’s individual security policy.

Real-time correlation is the key element in an effective security management framework because it automatically examines and analyzes millions of events per day. It works by reading the original alarm or alert message, parsing it for its individual fields and putting those fields into a common format, or schema. These messages, which are being forwarded by the collection component, then are assigned to the proper priority level – real-time correlation assigns them by combining the threats that the firewall or IDS identifies with information about the targets, or assets. The correlation system contains a rule set that scores the threat according to:

What else has occurred? It’s one thing to know a set of packets is dangerous, but another to see that the packets reached the intended target.

Is the asset vulnerable? Many organizations use vulnerability scanners to search their networks proactively and report specific vulnerabilities to known exploits. An immediate reference to this information stored in an asset table will indicate whether the target is vulnerable to a particular attack. The threat score is adjusted accordingly.

How valuable is the asset? Asset value describes the role of the target, what kind of data it manages, and what applications run on it. The more valuable the asset, the higher the priority of the alert.

Because the point of all this is to take the right action at the right time, the organization can set up policies to govern automated responses and responses acted on by staff.

Lunetta is vice president of marketing and business development for ArcSight. He can be reached at llunetta@arcsight.com.