Traveling at a Zillion Events Per Second

Talking Points

  • Implementing a SIM solution can be a challenge because enterprise network security systems consist of devices and software accumulated piecemeal.
  • One benefit of Sarbox: some IT managers say their budgets have been fattened with dollars earmarked for compliance-related purchases.
  • A market shift may come as organizations begin developing their security strategies within the context of a “vulnerability management ecosystem.”

Security-related software and systems such as firewalls, intrusion detection systems, operating system logs and antivirus apps spin out zillions of events per second. Getting a handle on all that data is the thinking behind security information management software, which is designed to help organizations sift, sort and generally make sense of their security stuff.

An increasing number of enterprises also are banking on security information management apps to help them meet federal compliance regulations like Sarbanes-Oxley. One result: some IT managers say their budgets have been fattened with dollars earmarked for compliance-related purchases. As promising as these technologies are, implementing a SIM solution undoubtedly will be a challenge for most organizations. More often than not, enterprise network security systems consist of devices and software accumulated piecemeal over time from several different vendors. Many companies simply underestimate the complexity of the job, says META Group analyst Paul Proctor.

“They read the marketing literature, see these full-featured, Cadillac-like systems with all these capabilities, and their common sense goes out the window,” Proctor says. “It’s not so much that the SIM vendors are over-promising, it’s that the users don’t recognize just what it’s going to take to implement these solutions. You have to take a close look at your organization, define your needs and set realistic expectations up front.” Start by deciding exactly what it is you’re trying to do, Proctor advises. Are you after forensic analysis capabilities? Are you trying to identify patterns in large amounts of standardized data? Is your goal is to make sense of a huge amount of non-standardized, non-linear, rapidly changing, highly sensitive security information collected from a large set of quickly evolving products from a range of vendors? You get the idea. (See related story, “Three things that make you go hmm....”)

“I’ve often advised people just to sit down with a piece of paper and draw the charts they want to see,” says Amrit Williams, an analyst at Gartner. “Something as simple as that can get you focused, so that you know exactly what you want before you begin evaluating products.” (See related story, “Meet the SIMs.”)

SIM had been on the wish list of the IT organization at Nicor Gas for some time when the Sarbanes-Oxley compliance mandate loosened the company’s purse strings late last year. Based in Naperville, Nicor is the public natural gas utility serving more than 2 million customers in the northern half of Illinois, excluding Chicago.

“The good thing about the compliance mandate, from our perspective, is that it finally freed up money from—and focus on—competing projects that might have had better ROI in the past,” says Mark Guth, Nicor’s manager of IT networks. Guth has operational responsibilities for security disaster recovery at Nicor, as well as the help desk team, Wintel servers and the company’s voice data radio group (LAN-WAN switching).

Although internal and external Sarbox auditors gave Nicor a passing grade, they also recommended the company look for a monitoring tool to enhance its internal controls framework, which probably would not be adequate in the future, Guth says.

“It might sound like an oxymoron, but we have a very robust manual process,” Guth explains. “That process has served us well, but with more and more potential threats on the horizon, both internally and externally, we have long believed that we were not going to be able to continue relying on a manual approach to ensure the proper level of security for our organization.”

Last year, Nicor sent out an RFP to eight SIM vendors, heard back from six, narrowed the field quickly to a handful and then, in December, settled on a product from ArcSight. The ArcSight ESM is an enterprise security platform designed to collect and analyze security data from heterogeneous devices.

Among the product features that appealed to Guth and his team was ArcSight’s threat visualization capability. “It shows what’s happening in near real time, and it will provide us with the ability to turn off an interface as it gets set to propagate problems throughout the network,” Guth says. “We no longer have to wait until we stumble across somebody poking around in the firewall or happen to spot some unusual network traffic.”

Nicor is implementing the ArcSight ESM in stages, the first of which should be completed this summer. Approximately six different platforms will be covered: three different server types and three different networking device types. The solution will be integrated with an HP OpenView network node manager, and initially monitor 80 devices in the enterprise. More devices will be added by the end of the year, Guth says.

“We are rolling this thing out in stages because we want to be able to tweak it and get comfortable with the usability of the alerts before we deploy it across the entire enterprise,” Guth says. “But we definitely plan to expand the footprint.”

Guth also plans to tie the ArcSight platform to Nicor’s retina scanning tool. Nicor currently employs one retinal scanner to validate the hardware configuration for its Windows and Wintel servers. The company plans to expand its use of the devices in the future, Guth says.

Although there’s no doubt that many of the SIM solutions available today can prove useful as regulatory compliance tools, Gartner’s Williams says, organizations that focus on passing an audit at the cost of a sound security information management strategy risk, what he calls “regulatory distraction.”

“If you’ve got a mandate coming down from above that says you must meet HIPAA, Sarbanes-Oxley or GLBA requirements, you’re going to look for a product that helps you satisfy that mandate,” he says. “That’s understandable, but there’s no need to neglect security in the process. Generally, if you do approach this problem with common sense, you’re going to meet your compliance requirements, pass the audit and make yourself more secure.”

The young SIM market continues to respond to changing customer concerns, analyst Proctor observes, evolving with such trends as intensifying enterprise interest in regulatory compliance solutions. Another market shift may come as organizations begin developing their security strategies within the context of a “vulnerability management ecosystem.”

“Organizations are looking to an enterprise view of risk management to bring consistency in measurement and control of risk across the enterprise,” notes Forrester analyst Mike Rasmussen in a December 2004 report. “The controls and measurement of risk and compliance require that they be integrated into an organization’s enterprise architecture. This involves integration of controls into policies, operations and technologies that support business processes.”

In the meantime, organizations interested in SIMs have a lot to choose from in the current market, from software to appliances, from toolkits requiring extensive service and support to production-strength solutions out of the box. “The key to success with a SIM project-or just about anything—is in the planning,” Proctor says. “It’s about clarifying your organization’s needs, establishing specific goals and setting down-to-earth expectations. This is really one of those times when you get back what you put in up front.”


Sidebar: Meet the SIMs
Sidebar: Three things to make you go hmmm…
Chart: Security Engineering

Windows XP SP2 deadline: Are your systems ready?
By Lana Gates

Congress looks at enterprise ID management
By John K. Waters

College-based program targets security holes
By Rick Saia