Matt Speare estimates that it would require a staff of nine to monitor just one security event console consolidating logs from 30 devices 24-7 on his network at Ohio Savings Bank in Cleveland.
"And that's including weekend coverage, with no breaks, no lunch and no sick days," he says. Speare, director of IT risk management at Ohio Savings, quickly does the math again and concludes, "Obviously, that type of round-the-clock management with staff is cost-prohibitive."
To address the problem, Speare turned to security information management (SIM) software, an increasingly popular type of product designed for automating the collection of event log data from security devices and helping users make sense of it through a common management console.
Advertisement: |
Ohio Savings uses netForensics' Security Information Platform, which cost it about $55,000 in hardware and software to install - half of what Speare estimates it would have cost the bank to outsource its security management.
"There's a huge return on investment for us," he says.
Spelling out SIM
SIM products use data aggregation and event correlation features similar to those of network-management software and applies them to event logs generated from security devices such as firewalls, proxy servers, intrusion-detection systems and antivirus software. What's more, SIM products can normalize data - that is, they can translate Cisco and Check Point Software alerts, for example, into a common format so the data can be correlated.
Like network-management software, SIM tools generally consist of server software, agents installed either on servers or security devices, and a central management console.
SIM providers range from smaller companies such as netForensics, Network Intelligence, GuardedNet, Intellitactics and OpenService to more established players such as Computer Associates, IBM Tivoli, Micromuse and NetIQ (see related story).
Charles Kolodgy, Internet security research manager at IDC, says companies have lots of choice when it comes to SIM: Vendors find the market attractive in that IDC estimates it is worth $15 million today and is set to quadruple to $61.3 million by 2005.
But he warns that many products are immature.
"These tools are great to collect and correlate events, but they offer little control over the security infrastructure," he says.
While vendors have adopted the SIM moniker, industry analysts prefer to call most of the products security event managers. Pete Lindstrom, a research director with Hurwitz Group, says the latter better describes what the current software offerings actually do, while SIM refers to a broader set of tasks the tools eventually should evolve to perform.
Real-world experiences
Charles Watson, data network specialist for Cellular South in Jackson, Miss., says his netForensics software actually pinpointed vulnerabilities in his network upon installation. Apparently, some end users unwittingly had tapped into open ports unbeknownst to the security staff.
"We had no idea those ports were open until the software pointed it out," Watson says. Because netForensics "logs everything," Cellular South could plug those holes and prevent a possible security breach - "and without running around to each server," he adds.
|
|||||||||||||||
While Speare and Watson reported relatively easy SIM implementations, Jeffrey Hormann says the software requires a fair amount of upfront work.
Hormann, director of technology operations at Metromedia Fiber Network in White Plains, N.Y., says it took him about a month to get e-Security's e-Sentinel software product operational on his network. "It's not out-of-the-box ready to go," he says. "It took a bit of effort to get it rolled out [and customized]."
Yet Hormann says e-Sentinel has saved him from hiring a dozen security specialists and lets him offer more services with a downsized staff.
SIM users and industry watchers agree that while the software can serve as an extra set of eyes across security devices, the tools need to evolve to take corrective actions.
"Security event managers want to be smart and to ultimately move toward being able to prioritize assets and applications without much configuration from users," Hurwitz's Lindstrom says. "We're probably one or two generations of software away from policy- and configuration-based security information management software."
RELATED LINKS
Contact Staff Writer Denise Dubie
Other recent articles by Dubie
NetIQ upgrades security management tools
NetIQ next month will boost its security information management offering by enabling it to collect data from a wider selection of vendors' security products and by improving its reporting capabilities.
Network World, 09/30/02.
