Security event management (SEM) tools are designed to
monitor security events across an organisation's network. They work
by correlating data from a range ofIT security systems- including
firewalls, routers and anti-virus systems - and predicting threat
levels based on this aggregated data.
SEM tools became popular about three years ago, from suppliers
such as
ArcSight, netForensics and NetIQ. SEM products usually support
real-time collection and analysis of log data from host systems,
security devices and network devices.
Since their arrival, these security software tools have matured
to bridge compliance and security gaps. There are now a large
number of SEM products available, many of which feature compliance
tools within the interface or versions that are optimised for
compliance.
The biggest suppliers in the SEM market include ArcSight ESM, CA
eTrust, ExaProtect Security Management System, IBM Tivoli Security
Event Manager, Intellitactics Enterprise Security Management,
netForensics NFX Open Security Platform, Network Intelligence, and
NetIQ Security Manager.
SEM software can help to combat security threats that have
arisen as IT systems have grown more complex and possible areas of
attack have increased, according to security experts.
"The problem stems from the complexity of multi-layered,
multi-supplier security architectures, increased security
vulnerabilities from online business and extended corporate
networks, and increasingly complex threats," says Caroline Ikomi,
security engineer at
Check Point Software, which develops firewalls and network
protection systems."
In addition, industry and government regulations such as
Sarbanes-Oxley are forcing companies to close gaps in security
administration.
Ikomi says, "Companies face a daunting challenge in discerning
and responding to threat information buried within large volumes of
messages from disparate security and network devices."
Ikomi says that, in responding to these challenges, companies
face difficult decisions about how to allocate their limited IT and
security resources. "SEM tools, if appropriately developed, can
provide tremendous value. However, many systems take a long time to
deploy, are over-complex, hard to use and expensive."
According to Gartner, having a clear set of objectives is
critical to successfully implementing SEM systems. "Organisations
that do not properly plan or limit the initial scope will
experience a higher likelihood of project failures, excessive cost
expenditure, and results that do not meet expectations," says the
analyst firm.
Mark Jones, associate partner and head of business risk and
security at Atos Consulting, says that users generally make the
business case for an SEM system in two ways.
The first is through measuring the number of successful attacks
on an IT infrastructure. The second commonly used measure is the
operational cost incurred when managing an event.
Atos Origin, which includes Atos Consulting, is responsible for
the IT security for all of the Olympics events, including London
2012, and SEM is an important element of this process.
Jones says that the main implementation issue that is
encountered with SEM is managing collaboration between the partners
involved in an SEM project. "There is no contractual control over
partners that are involved in managing the project, so it is
important to work collaboratively with all partners to facilitate
their buy-in."
A second problem area, says Jones, is that of business
alignment. "The value and criticality of assets has to be assessed
to make sure that security measures are aligned to the assets."
Such as assessment could identify huge levels of security for only
a minor threat.
Verifying the security of personnel involved in any SEM system
is also an issue, says Jones. "In the context of the current
geo-political climate, it is essential to ensure that background
checks are made on all personnel to ensure that you know that the
people you are dealing with are who they say they are."
Steven Furnell, professor of information systems security at
Plymouth University, says SEM tools can help to manage information
from diverse security products more easily.
"With alerts coming directly from a variety of individual
products, the potential consequence for security administrators is
a combination of information overload and mistrust: the first as a
result of the volume of alerts from different sources, and the
second from the fact that many of these can turn out to be false
alarms.
"Aggregating and correlating events can deliver a fuller picture
of what is going on, while at the same time reducing the volume of
information presented to administrators.
"Moreover, correlation can help to make sense of disparate
events that may otherwise be overlooked in isolation. The overall
consequence should be more informed and timely decisions, and an
improved ability to prioritise responses," says Furnell.
However, Furnell warns that, as with any security measure, SEM
cannot be regarded as a panacea. "It still requires correct
deployment and configuration, as well as appropriate monitoring and
response for the alerts that result," he says.
Alastair Broom, security line of business director at Dimension
Data UK, which has deployed SEM systems for its users, says users
need the right skills to monitor and manage the data that is
generated.
"SEM tools provide visibility into security events on the
network. They provide correlation and consolidation of security
events, presenting a single view of the current security posture of
the network, and can be a valuable tool in the identification of
potential threats," he says.
"An SEM implementation, however, will only be successful if
organisations have the skills and resources available to monitor
and manage the environment, and respond appropriately to
threats.
"Security monitoring is a 24x7 activity, requiring skilled
analysts and a response team with the ability to rapidly translate
a security event into a remediation plan.
"The reality is, however, that organisations that purchase and
implement SEM tools are often unaware of the resource investment
required. So while problems on the network can be made visible with
SEM, without the ability to act, organisations cannot take
advantage of this new awareness."
Broom says businesses would do well to couple an SEM
implementation with a third-party managed service from a supplier
that has the skills and scale needed to manage large, complex IT
environments. "This route will ensure security events are
effectively detected and responded to, thereby lowering the
organisation's overall risk," he says.
A strong trend in SEM tools is fulfilling compliance
requirements, whether that means Sarbanes-Oxley, PCI or ITIL.
Security expert Yahya Mehdizadeh, director of international
development at satellite communications firm Stratos, says, "The
new compliance-driven corporate culture is demanding access to
security logs as digital forensics evidence and audit data. SEM
companies wanting to take advantage of this market are tailoring
their products to meet this demand."
Experts note that there is a trend towards bundling security
products with SEM tools: for example, Websense with Arcsight, and
Checkpoint's firewall with Eventia.
In 2006, Novell acquired SEM supplier e-Security, and since then
has been integrating its real-time SEM and response and reporting
technologies into SuSE Linux Enterprise Server and Novell's
identity management tools.
The move signals SEM's coming of age.
Case study: Adecco
Recruitment firm Adecco uses an SEM tool from ExaProtect to
secure an IT system that serves 30,000 employees in 6,000 offices
covering 70 countries.
Before it centralised its security, Adecco used layers of
security systems, including a centralised firewall, an IPSec
virtual private network infrastructure, and McAfee Intrushield
Security Manager appliances.
But the firm found that the infrastructure generated large
volumes of log traffic, which required full-time monitoring by the
IT team. IT administrators were weighed down by huge volumes of
data, especially false threat alerts, making it hard to provide
reliable detection and accurate analysis.
Global security director Jerome Sillan said Adecco's security
infrastructure gave it a false sense of security. "The more
security layers we installed, the more human resources were needed
for their administration. We did not have an IT security team big
enough to interpret effectively the thousands of events generated
every day," he said.
In addition, Adecco wanted to meet the requirements of
compliance legislation, particularly Sarbanes-Oxley.
ExaProtect implemented Adecco's SEM system in two phases. First,
it correlated security events occurring in Adecco's datacentres in
Lyon in France and Madrid in Spain. Second, it integrated this
security data into a single "master view" console.
As a result, the company freed up key members of its IT security
team, secured the enterprise more effectively, and met its legal
requirements.
"ExaProtect has proven to be invaluable for assuring
Sarbanes-Oxley compliance. It speeds the detection, management and
containment of security alerts, and provides all necessary
information on the effectiveness of internal controls," says
Sillan.
How to become security risk resilient
➔ www.computerweekly.com/226112
CIO index: why security is good value
➔ www.computerweekly.com/215800
how security event management tools work
A typical security event management (SEM) architecture consists
of three modules: event collection, the core engine and a user
interface.
The event collection module interfaces with the monitored
elements that are already installed in an enterprise. These could
include point products such as network or host-based
intrusion-detection systems, firewalls, anti-virus software
packages, virtual private networks, routers, web servers, databases
or host operating systems.
Event data is collected by software agents that either actively
interact with or passively monitor point products.
Core engine modules process information from the raw data,
generate alerts, and format these alerts for analysis and
correlation. These modules also provide the capability to integrate
with third-party applications to extend the functionality of the
SEM engine.
The user accesses data intelligence reports regarding the
correlations via an interface.