Abba Center for Excellence

VMware ESX & Virtual Center Training Course

Abba Managed Services: Co-Location

Body of Evidence

Security event management critical to incidence response.
Network security breaches are like any other crime scene. The perpetrators leave behind clues that can help network administrators identify and even thwart the activity.

Those clues are generated by network devices that diligently log every bit of security-related data. Trouble is, they generate so much data that it’s virtually impossible for network administrators to sift through it all. Security breaches go unsolved or even unnoticed because the evidence is buried in massive log files.

 More and more organizations are utilizing centralized security event management (SEM) tools to help them make sense of the high volumes of log and event data generated by network and security devices. SEM solutions automate the collection, storage and correlation of millions of events from any number of security devices, networks, operating systems, databases and applications to help organizations identify anomalous behavior that may indicate an attack or security breach.

Coping with Compliance
SEM solutions are also becoming increasingly essential elements of an organization’s regulatory compliance strategy. SEM systems help organizations fulfill the auditing and reporting aspects of regulations such as Sarbanes Oxley, HIPAA and Gramm Leach Bliley because they demonstrate to auditors the ability to monitor and report on network activity in a repeatable manner. They also demonstrate that logs are being reviewed — or at least that critical events are being brought to someone's attention.

SEM systems began appearing in the late 1990s when security vendors created them to help network administrators cope with information overload caused by the event logs generated by intrusion detection systems and firewalls. In a typical enterprise, an intrusion detection system can produce more than 500,000 messages per day and firewalls can generate millions of log records a day. Overworked security administrators needed a consolidated, real-time view of system and event logs to see the network’s overall health and better understand if something was compromised or misconfigured — without have to check each machine individually.

SEM systems offer a better way. Most use software agents running on all monitored machines to pipe critical data back to a central server, which watches for such things as misconfigurations, intrusions, out-of-date virus settings or unapplied patches. SEM systems have extended their reach to include switch and router logs, vulnerability scans, and OS and application logs.

Drawing Comparisons
While security event management is evolving to include features such as network behavior anomaly detection and real-time passive network monitoring, log correlation remains at the heart of these systems. A typical SEM architecture consists of three modules — a user interface, the core engine and event collection. The core engine module, often linked to a database application, is the key to aggregating and correlating events from disparate products that would otherwise require manual gathering and review.

Besides being incredibly time consuming, manual gathering and review often leads to “apples to oranges” comparisons because different products parse events differently. For example, a Cisco router can have more than 6,000 different event signatures, and a Windows host server can have more than 7,000. An SEM system not only gathers the data, but normalizes it and presents everything in a common format to the core analysis engine, which can make an “apples to apples” comparison.

What does all that mean to IT administrators? Consider the results of validation testing on SEM systems conducted in November 2006 by The Tolly Group. In a 24-hour period, the research firm sent streams of millions of network flows and hundreds of thousands of security events to a variety of SEM products. The security event management systems correlated and reduced that traffic down to as few as 97 network offenses that needed operator investigation.

There are a host of SEM solutions on the market, ranging from very expensive enterprise-grade systems that can take months to deploy and may require dedicated servers, to more affordable plug-and-play products targeting small to midsized businesses. These systems can either be appliance-based or software-based. In general, appliance-based systems tend to be easier to deploy but lack the customization and scalability of a software solution.

When evaluating either software- or appliance-based products, industry analysts say organizations should look for the following features in an SEM solution:

  • Log collection from heterogeneous devices. The system should be able to aggregate and correlate information from devices from a variety of manufacturers.
  • Centralized event detection. It should be able to detect events automatically and distinguish between events that matter and those that do not, freeing up staff members to focus on preventing the most important threats.
  • Threat prevention and remediation. The system should generate alerts and automated responses based upon certain security events, then record and track event data for post-threat investigation.
  • Report generation. The system should generate reports that give an overall view of the infrastructure, while also supporting regulatory compliance mandates.

Forrester Research has predicted that the SEM market will continue to grow by 50 percent annually, with spending expected to reach $1.2 billion by 2011. Risks associated with sophisticated threats and compliance guidelines mean that organizations must collect, retain and analyze more security data than ever before. SEM tools give security teams an automated means to sift through all this data to discover solid clues about the activity within their IT environments.

Back to Menu
Back to Archive
888-ABBATECH
Abba Home Abba Contracts Contact Abba