Using SEM to get a clearer picture of security threats

Security event management (SEM) tools are designed to monitor security events across an organisation's network. They work by correlating data from a range of IT security systems - including firewalls, routers and anti-virus systems - and predicting threat levels based on this aggregated data.

Security event management (SEM) tools are designed to monitor security events across an organisation's network. They work by correlating data from a range of IT security systems - including firewalls, routers and anti-virus systems - and predicting threat levels based on this aggregated data.

SEM tools became popular about three years ago, from suppliers such as ArcSight, netForensics and ­NetIQ. SEM products usually support real-time collection and analysis of log data from host systems, security devices and network devices.

Since their arrival, these security software tools have matured to bridge compliance and security gaps. There are now a large number of SEM products available, many of which feature compliance tools within the interface or versions that are optimised for compliance.

The biggest suppliers in the SEM market include ArcSight ESM, CA eTrust, ExaProtect Security Management System, IBM Tivoli Security Event Manager, Intellitactics Enterprise Security Management, netForensics NFX Open Security Platform, Network Intelligence, and NetIQ Security Manager.

SEM software can help to combat security threats that have arisen as IT systems have grown more complex and possible areas of attack have increased, according to security experts.

"The problem stems from the complexity of multi-layered, multi-supplier security architectures, increased security vulnerabilities from online business and extended corporate networks, and increasingly complex threats," says Caroline Ikomi, security engineer at Check Point Software, which develops firewalls and network protection systems."

In addition, industry and government regulations such as Sarbanes-Oxley are forcing companies to close gaps in security administration.

Ikomi says, "Companies face a daunting challenge in discerning and responding to threat information buried within large volumes of messages from disparate security and network devices."

Ikomi says that, in responding to these challenges, companies face difficult decisions about how to allocate their limited IT and security resources. "SEM tools, if appropriately developed, can provide tremendous value. However, many systems take a long time to deploy, are over-complex, hard to use and expensive."

According to Gartner, having a clear set of objectives is critical to successfully implementing SEM systems. "Organisations that do not properly plan or limit the initial scope will experience a higher likelihood of project failures, excessive cost expenditure, and results that do not meet expectations," says the analyst firm.

Mark Jones, associate partner and head of business risk and security at Atos Consulting, says that users generally make the business case for an SEM system in two ways.

The first is through measuring the number of successful attacks on an IT infrastructure. The second commonly used measure is the operational cost incurred when managing an event.

Atos Origin, which includes Atos Consulting, is responsible for the IT security for all of the Olympics events, including London 2012, and SEM is an important element of this process.

Jones says that the main implementation issue that is encountered with SEM is managing collaboration between the partners involved in an SEM project. "There is no contractual control over partners that are involved in managing the project, so it is important to work collaboratively with all partners to facilitate their buy-in."

A second problem area, says Jones, is that of business alignment. "The value and criticality of assets has to be assessed to make sure that security measures are aligned to the assets." Such as assessment could identify huge levels of security for only a minor threat.

Verifying the security of personnel involved in any SEM system is also an issue, says Jones. "In the context of the current geo-political climate, it is essential to ensure that background checks are made on all personnel to ensure that you know that the people you are dealing with are who they say they are."

Steven Furnell, professor of information systems security at Plymouth ­University, says SEM tools can help to manage information from diverse security products more ­easily.

"With alerts coming directly from a variety of individual products, the potential consequence for security administrators is a combination of information overload and mistrust: the first as a result of the volume of alerts from different sources, and the second from the fact that many of these can turn out to be false alarms.

"Aggregating and correlating events can deliver a fuller picture of what is going on, while at the same time reducing the volume of information presented to administrators.

"Moreover, correlation can help to make sense of disparate events that may otherwise be overlooked in isolation. The overall consequence should be more informed and timely decisions, and an improved ability to prioritise responses," says Furnell.

However, Furnell warns that, as with any security measure, SEM cannot be regarded as a panacea. "It still requires correct deployment and configuration, as well as appropriate monitoring and response for the alerts that result," he says.

Alastair Broom, security line of business director at Dimension Data UK, which has deployed SEM systems for its users, says users need the right skills to monitor and manage the data that is generated.

"SEM tools provide visibility into security events on the network. They provide correlation and consolidation of security events, presenting a single view of the current security posture of the network, and can be a valuable tool in the identification of potential threats," he says.

"An SEM implementation, however, will only be successful if organisations have the skills and resources available to monitor and manage the environment, and respond appropriately to threats.

"Security monitoring is a 24x7 activity, requiring skilled analysts and a response team with the ability to rapidly translate a security event into a remediation plan.

"The reality is, however, that organisations that purchase and implement SEM tools are often unaware of the resource investment required. So while problems on the network can be made visible with SEM, without the ability to act, organisations cannot take advantage of this new awareness."

Broom says businesses would do well to couple an SEM implementation with a third-party managed service from a supplier that has the skills and scale needed to manage large, complex IT environments. "This route will ensure security events are effectively detected and responded to, thereby lowering the organisation's overall risk," he says.

A strong trend in SEM tools is fulfilling compliance requirements, whether that means Sarbanes-­Oxley, PCI or ITIL.

Security expert Yahya Mehdizadeh, director of international development at satellite communications firm Stratos, says, "The new compliance-driven corporate culture is demanding access to security logs as digital forensics evidence and audit data. SEM companies wanting to take advantage of this market are tailoring their products to meet this demand."

Experts note that there is a trend towards bundling security products with SEM tools: for example, Websense with Arcsight, and Checkpoint's firewall with Eventia.

In 2006, Novell acquired SEM supplier e-Security, and since then has been integrating its real-time SEM and response and reporting technologies into SuSE Linux Enterprise Server and Novell's identity management tools.

The move signals SEM's coming of age.

Case study: Adecco

Recruitment firm Adecco uses an SEM tool from ExaProtect to secure an IT system that serves 30,000 employees in 6,000 offices covering 70 countries.

Before it centralised its security, Adecco used layers of security systems, including a centralised firewall, an IPSec virtual private network infrastructure, and ­Mc­Afee Intrushield Security Manager ­appliances.

But the firm found that the infrastructure generated large volumes of log traffic, which required full-time monitoring by the IT team. IT administrators were weighed down by huge volumes of data, especially false threat alerts, making it hard to provide reliable detection and accurate analysis.

Global security director Jerome Sillan said Adecco's security infrastructure gave it a false sense of ­security. "The more security layers we installed, the more human resources were needed for their administration. We did not have an IT security team big enough to interpret effectively the thousands of events generated every day," he said.

In addition, Adecco wanted to meet the requirements of compliance legislation, particularly Sarbanes-Oxley.

ExaProtect implemented Adecco's SEM system in two phases. First, it correlated security events occurring in Adecco's datacentres in Lyon in France and Madrid in Spain. Second, it integrated this security data into a single "master view" console.

As a result, the company freed up key members of its IT security team, secured the enterprise more effectively, and met its legal requirements.

"ExaProtect has proven to be invaluable for assuring Sarbanes-Oxley compliance. It speeds the detection, management and containment of security alerts, and provides all necessary information on the effectiveness of internal controls," says Sillan.

How to become security risk resilient


CIO index: why security is good value



how security event management tools work

A typical security event management (SEM) architecture consists of three modules: event collection, the core engine and a user interface.

The event collection module interfaces with the monitored elements that are already installed in an enterprise. These could include point products such as network or host-based intrusion-detection systems, firewalls, anti-virus software packages, virtual private networks, routers, web servers, databases or host operating systems.

Event data is collected by software agents that either actively interact with or passively monitor point products.

Core engine modules process information from the raw data, generate alerts, and format these alerts for analysis and correlation. These modules also provide the capability to integrate with third-party applications to extend the functionality of the SEM engine.

The user accesses data intelligence reports regarding the correlations via an interface.

Read more on Network software