Traveling at a Zillion Events Per Second
- By John K. Waters
- June 1, 2005
- Implementing a SIM solution can be a challenge because enterprise network
security systems consist of devices and software accumulated piecemeal.
- One benefit of Sarbox: some IT managers say their budgets have been fattened
with dollars earmarked for compliance-related purchases.
- A market shift may come as organizations begin developing their security
strategies within the context of a “vulnerability management ecosystem.”
Security-related software and systems such as firewalls, intrusion detection
systems, operating system logs and antivirus apps spin out zillions of events
per second. Getting a handle on all that data is the thinking behind security
information management software, which is designed to help organizations sift,
sort and generally make sense of their security stuff.
An increasing number of enterprises also are banking on security information
management apps to help them meet federal compliance regulations like Sarbanes-Oxley.
One result: some IT managers say their budgets have been fattened with dollars
earmarked for compliance-related purchases. As promising as these technologies
are, implementing a SIM solution undoubtedly will be a challenge for most organizations.
More often than not, enterprise network security systems consist of devices
and software accumulated piecemeal over time from several different vendors.
Many companies simply underestimate the complexity of the job, says META Group
analyst Paul Proctor.
“They read the marketing literature, see these full-featured, Cadillac-like
systems with all these capabilities, and their common sense goes out the window,”
Proctor says. “It’s not so much that the SIM vendors are over-promising,
it’s that the users don’t recognize just what it’s going to
take to implement these solutions. You have to take a close look at your organization,
define your needs and set realistic expectations up front.” Start by deciding
exactly what it is you’re trying to do, Proctor advises. Are you after
forensic analysis capabilities? Are you trying to identify patterns in large
amounts of standardized data? Is your goal is to make sense of a huge amount
of non-standardized, non-linear, rapidly changing, highly sensitive security
information collected from a large set of quickly evolving products from a range
of vendors? You get the idea. (See related story, “Three
things that make you go hmm....”)
“I’ve often advised people just to sit down with a piece of paper
and draw the charts they want to see,” says Amrit Williams, an analyst
at Gartner. “Something as simple as that can get you focused, so that
you know exactly what you want before you begin evaluating products.”
(See related story, “Meet the SIMs.”)
SIM had been on the wish list of the IT organization at Nicor Gas for some
time when the Sarbanes-Oxley compliance mandate loosened the company’s
purse strings late last year. Based in Naperville, Nicor is the public natural
gas utility serving more than 2 million customers in the northern half of Illinois,
“The good thing about the compliance mandate, from our perspective, is
that it finally freed up money from—and focus on—competing projects
that might have had better ROI in the past,” says Mark Guth, Nicor’s
manager of IT networks. Guth has operational responsibilities for security disaster
recovery at Nicor, as well as the help desk team, Wintel servers and the company’s
voice data radio group (LAN-WAN switching).
Although internal and external Sarbox auditors gave Nicor a passing grade,
they also recommended the company look for a monitoring tool to enhance its
internal controls framework, which probably would not be adequate in the future,
“It might sound like an oxymoron, but we have a very robust manual process,”
Guth explains. “That process has served us well, but with more and more
potential threats on the horizon, both internally and externally, we have long
believed that we were not going to be able to continue relying on a manual approach
to ensure the proper level of security for our organization.”
Last year, Nicor sent out an RFP to eight SIM vendors, heard back from six,
narrowed the field quickly to a handful and then, in December, settled on a
product from ArcSight. The ArcSight ESM is an enterprise security platform designed
to collect and analyze security data from heterogeneous devices.
Among the product features that appealed to Guth and his team was ArcSight’s
threat visualization capability. “It shows what’s happening in near
real time, and it will provide us with the ability to turn off an interface
as it gets set to propagate problems throughout the network,” Guth says.
“We no longer have to wait until we stumble across somebody poking around
in the firewall or happen to spot some unusual network traffic.”
Nicor is implementing the ArcSight ESM in stages, the first of which should
be completed this summer. Approximately six different platforms will be covered:
three different server types and three different networking device types. The
solution will be integrated with an HP OpenView network node manager, and initially
monitor 80 devices in the enterprise. More devices will be added by the end
of the year, Guth says.
“We are rolling this thing out in stages because we want to be able to
tweak it and get comfortable with the usability of the alerts before we deploy
it across the entire enterprise,” Guth says. “But we definitely
plan to expand the footprint.”
Guth also plans to tie the ArcSight platform to Nicor’s retina scanning
tool. Nicor currently employs one retinal scanner to validate the hardware configuration
for its Windows and Wintel servers. The company plans to expand its use of the
devices in the future, Guth says.
Although there’s no doubt that many of the SIM solutions available today
can prove useful as regulatory compliance tools, Gartner’s Williams says,
organizations that focus on passing an audit at the cost of a sound security
information management strategy risk, what he calls “regulatory distraction.”
“If you’ve got a mandate coming down from above that says you must
meet HIPAA, Sarbanes-Oxley or GLBA requirements, you’re going to look
for a product that helps you satisfy that mandate,” he says. “That’s
understandable, but there’s no need to neglect security in the process.
Generally, if you do approach this problem with common sense, you’re going
to meet your compliance requirements, pass the audit and make yourself more
The young SIM market continues to respond to changing customer concerns, analyst
Proctor observes, evolving with such trends as intensifying enterprise interest
in regulatory compliance solutions. Another market shift may come as organizations
begin developing their security strategies within the context of a “vulnerability
“Organizations are looking to an enterprise view of risk management
to bring consistency in measurement and control of risk across the enterprise,”
notes Forrester analyst Mike Rasmussen in a December 2004 report. “The
controls and measurement of risk and compliance require that they be integrated
into an organization’s enterprise architecture. This involves integration
of controls into policies, operations and technologies that support business
In the meantime, organizations interested in SIMs have a lot to choose from
in the current market, from software to appliances, from toolkits requiring
extensive service and support to production-strength solutions out of the box.
“The key to success with a SIM project-or just about anything—is
in the planning,” Proctor says. “It’s about clarifying your
organization’s needs, establishing specific goals and setting down-to-earth
expectations. This is really one of those times when you get back what you put
in up front.”
ILLUSTRATION BY JASON SCHNEIDER
Sidebar: Meet the SIMs
Sidebar: Three things to make you
Chart: Security Engineering
Windows XP SP2 deadline:
Are your systems ready?
By Lana Gates
Congress looks at enterprise
By John K. Waters
targets security holes
By Rick Saia