Winning the War Against Security Disinformation

Each of these systems makes a key contribution to the overall view of the company’s current information security status. But each also speaks its own language, with its own reporting, event logs and rules – even its own management console.

It is the constant ‘chatter’ of events and updates from each corporate system that can blur the IT Security team’s vision of the company’s overall security stance. And without the ability to cut through the chatter and correlate seemingly unrelated events, a true security threat could get lost in the background noise – and the information security fight could be over before a defensive shot is fired.

Costs speak louder than threats: the man-hours wasted trying to repair the damage can pale in comparison to the revenue lost after the business interruption from an attack.

Alert avalanche

The sheer amount of event data generated by the systems on a medium to large multi-site network is hard to grasp. Analysts such as the Gartner Group estimate that the corporate systems of multi-site networks with 1,000+ users can generate an average one security ‘event’ per second for every five users – a volume of data that would overwhelm any IT department, and distracts them from more essential tasks.

This makes the job of ensuring the security of core business assets difficult, simply because IT teams are constantly trying to assemble fragmented glimpses of events into a coherent security picture.

To illustrate this point, let’s look at an example of a remote network access session from an authorized user and notebook PC. The company’s VPN system and firewall logs will give information about the external device, user and connection, giving comprehensive information on who is connecting to the network, and by what means. However, this only gives half the picture of the remote access session. There’s also the need to see what’s happening on the internal side of the connection – to see if the authorized remote access session is trying to make changes or alter key data on internal systems.

For many companies, the internal and external information security views are not correlated. So the security logs generated by the range of systems used may not trigger a real, actionable security alert for IT staff.

End-to-end

So how do companies better manage the deluge of security data from their internal systems, and get better visibility of what’s happening with the business IT assets that matter?

This is where Security Information and Event Management (SIEM) solutions come in. SIEM is a specialist development of the drive to unify network management that the industry saw in the late 90s, but focused on information security.

SIEM is the merger of two preceding technologies:

• Security Event Management (SEM), aimed at improving security incident response capabilities. It processes near-real-time information from security, network devices and systems to provide real-time event monitoring for security operations. SEM helps IT security operations personnel be more effective in responding to external and internal threats.
• Security Information Management (SIM), which provides investigation and reporting of information from systems, applications and security devices to support the management of internal threats and regulatory compliance initiatives. SIM can be used to support the activities of the IT security, internal audit and compliance teams within organizations.

SIEM helps fight the corporate security battle on two fronts. First, by integrating the muddle of management consoles and reporting formats in corporate networks to simplify management, provide greater visibility and improve response times. A key element of this is filtering and automated analysis, thereby drastically reducing the level of data and log traffic generated by multiple systems – giving IT staff a less cluttered, more coherent view of what’s happening on and around their networks.

Secondly, by extending across the enterprise to give an end-to-end view of network activity, reporting on any changes to core assets, wherever those assets are stored: on servers, desktops, notebooks and PDAs, or any device where corporate information may be sent and received.

Noises off

SIEM means all data and event logs are aggregated into one central correlating engine. The engine correlates the relationships between the logs and alarms produced by a company’s various core business systems, such as ERP, transaction management and so on, and those produced by security devices.

SIEM will typically filter the number of events and alerts down by a factor of 1000 or more. What’s more, it can overlay multiple reporting logs and data streams to give IT staff a single-console view of the most important security events.

This ‘aerial view’ can identify irregular activities or attempted attacks that would otherwise be invisible without an overall view of the corporate security status. SIEM can also put alerts into context, by linking to internal and external resources which document known vulnerabilities and exploits – and with an embedded incident handling and resolution system, assist IT staff in delivering the best response.

Instant replay

Advanced consoles can also allow playback of events to see what devices an alert or attack is targeting, ensuring that IT staff can deliver a measured and appropriate response to an event, free from background noise.

Vive le ROI

So far, so good – SIEM can deliver major functional and management benefits to IT teams. But what investment is needed in setting up the solution? And can the functional benefits and enhanced security responsiveness from SIEM make a real impact on the company’s bottom line?
Like any other tool, it’s important to have realistic expectations when setting up a SIEM solution. The IT team should still be prepared to invest time in setting up the desired monitoring functions to suit their specific needs.

The rewards make it worth the effort. Experience and early analyst findings show that following deployment of a SIEM solution, an IT team of a given size is able to manage double the number of machines and devices within a matter of months – giving a very direct ROI in terms of IT team capacity and efficiency gains. SIEM solutions certainly represent a modest investment for such a big return.

Compliance issues

SIEM plays a major role in corporate compliance – a formidable spectre which is looming large over many CIOs and CSOs with measures such as:

• Sarbanes-Oxley (SOX),
• Health Insurance Portability and Accountability Act (HIPAA),
• Gramm-Leach-Bliley Act (GLBA) and,
• Payment Card Industry Data Security Standard (PCI DSS).

As well as the various control frameworks often found in modern large enterprises, such as:

• ISO17799,
• ISO27001,
• COBIT,
• COSO and,
• ITIL.

SIEM lets companies integrate information security data across their existing systems, automates the evaluation of that data, and provides a central storage, reporting and audit engine across the company’s entire network infrastructure. This enables easy tracking of processes, and measurement of progress against business objectives.

In fact, SIEM has proven so effective in addressing compliance and internal process management issues that ExaProtect (a leader in the SIEM Market) has found over 50% of its customers first deploy solutions for internal systems monitoring – protecting and securing the core systems which are vital to the business.

Introducing a next-generation SIEM: ExaProtect SMS

ExaProtect Security Management System (ExaProtect SMS) is a next-generation SIEM product designed to simplify and speed up the tasks of collecting, analyzing, monitoring, and reporting on security events across an array of disparate sources: enabling organizations to quickly and efficiently combat security threats to systems and core data.

This robust solution delivers a fully-featured SIEM platform that correlates security events and information across all applications, servers and security systems.

Security policy deviations are instantly identified, allowing security monitoring teams to react to security threats, and risk control teams to report on policy adherence.

At the same time, powerful event classification and archiving features further create a continuous, auditable link between source events and control requirements.

This SIEM product has the unique flexibility to meet the widest range of needs cost-effectively, providing a core platform that grows as your requirements evolve. As a fully featured SIEM solution, it offers powerful real-time correlation of security events and information across applications, servers and security systems.

Should your initial objectives be focused only on improved log management, then ExaProtect SMS uniquely provides an adaptable approach to centralizing log collection and archiving based upon a highly extensible core platform.

Key security management benefits delivered by ExaProtect SMS

Measurably increase corporate data security with standard and/or customized reports that allow you to quantify the overall efficiency of your security operation, tracking everything from individual device confidence levels through to demonstrating the effectiveness of your IT Security team.

Improve operational efficiency using real-time analysis of your security information to identify evolving incidents quickly and accurately, with integrated incident management procedures to ensure rapid and decisive remedial action. The instantaneous correlation of security events occurring across disparate system highlights complex security threats that would otherwise be impossible to identify.

Facilitate regulatory compliance using comprehensive security compliance reports to meet audit and forensic requirements. Security alerts and raw log entries are stored in forensic compliant archives suitable for post-event investigations and audits. Predefined reports are supplied to address a wide range of compliance and control framework needs, and additional reports can be easily added.

Gartner, Frost & Sullivan, the 451 Group, IDC, …

ExaProtect is recognized by leading analysts as a key player in the next-generation of SIEM technologies. Gartner’s ‘Broad Function SIEM’ classification and the recent win of Frost & Sullivan’s ‘Global Excellence Award in Network Security Infrastructure’ confirm that ExaProtect SMS can handle the most demanding SIEM requirements.

Many Fortune 500 companies such as Adecco, Alcatel, Apple Computer, Best Buy, Marsh, Johnson & Johnson, Johnson Controls, KeyBank, TD Ameritrade, Turner Broadcasting, Occidental Petroleum, Veritas, and Visa International, are benefiting from co-ordinated security management and enhanced day-to-day team productivity thanks to ExaProtect.

Call ExaProtect now to discuss your SIEM needs: +1 (650) 428 2800.