Security management gets easier

Three security management software makers are improving their respective products with features that include real-time event correlation, analysis to prioritize security events, and scalable systems that can collect and store thousands of events per second.

Security information management (SIM) vendors GuardedNet, Intellitactics and netForensics upgraded their flagship products recently, each trying to gain ground in a market that IDC estimates is worth $15 million today and is set to quadruple to $61.3 million by 2005.

SIM software automates the collection of event log data from security devices, helping users make sense of it through a common management console. The products use data aggregation and event correlation features similar to those found in network management software, and apply them to event logs generated from firewalls, proxy servers, intrusion-detection systems and antivirus software.

GuardedNet has expanded its database capabilities to allow more flexibility in storing volumes of security data for trend analysis. Intellitactics added to its software 50 prewritten rules the company gathered from 50 customers. And netForensics partnered with SilentRunner – a network security analysis company that creates visual representations of security assets – to give users a visual layout of how security devices connect and interrelate.

“The visualization with the SilentRunner module allows us to correlate events across the enterprise,” says Matt Speare, director of IT risk management at Ohio Savings Bank in Cleveland. He says his team is “impressed with the intuitiveness” the new module in netForensics 3.0 provides. Speare also is using netForensics’ new threat-scoring feature, which assigns categorized scores to security assets so managers can prioritize the importance of individual events on the network.

Intellitactics CTO Paul Sop says his company’s Network Security Manager (NSM) 4.0 now can translate the effect of correlated security events into plain English. NSM will tell a security manager when a server infected with a virus or vulnerable to a hacker is attempting to contact other servers and potentially spread a security threat across the network. For example, Sop says, NSM could send a message such as, “We’ve seen a host in the sales group that has now touched five business locations.”

“We can actually take 200,000 events and turn them into readable sentences,” Sop says. “We can detect if a threat is spreading and characterize that into relevant descriptions in sentence form.”

SIM software also can collect security data from security devices that don’t broadcast events and nonsecurity devices through the use of universal agents, which users configure to pull data from those specific devices. GuardedNet and netForensics added universal agents to their feature list, while Intellitactics already offered them.

Tom McNeight, GuardedNet’s new president and CEO, says SIM vendors must be able to seal potential holes in security systems that could slip by a human operator. GuardedNet’s neuSecure 1.6 “can stop security managers from being overwhelmed as devices continue to proliferate,” he says.

Vendors such as e-Security, ArcSight and OpenService also are among the list of newer companies attempting to address SIM needs. Security industry giants such as Check Point Software and Symantec also announced SIM products this fall.