Time after time, analyst surveys declare security is the number one priority for IT directors. Research houses Forrester and Gartner, for example, both placed security at the top of the CIO agenda for 2004 and the trend looks set to continue into 2005. According to CIO magazine's 'The State of the CIO 2004' survey in October, the top three IT priorities for 2005 will be the same as this year's: data security and integrity, integration and customer service/CRM.
The strong emphasis on security is unsurprising, given the high number of security breaches taking place around the world and the increased focus within organisations on risk management, corporate governance and regulatory compliance. Businesses in today's security-conscious society are all too aware of the damage that a security attack can inflict on their corporate systems and confidential data, not to mention the company's market value. Research provider Key Note, for example, estimates security breaches in the UK last year cost businesses more than £44 billion – a figure that is likely to have risen even higher this year.
To combat modern day security threats, enterprises need a rapidly expanding range of products and services at their disposal. A typical organisation has an array of independent security infrastructure devices – such as firewalls, intrusion detection systems, network equipment, applications, anti-virus, sign-on and directory services – at their disposal, as well as physical security devices – such as swipe cards and password-entry systems. No wonder then, that IDC forecasts global businesses will spend $45 billion on IT security by 2006.
But as the number of security devices within an organisation increases, so too does the amount of data generated – such as logs, alerts, events and so on – which must then be painstakingly analysed by security experts. A typical FTSE 500 company is subject to more than 50 million security-related events each day, ranging from a blocked packet to a failed log-on or genuine hacker alert. With the number of events rising every year, analysing each risk is turning into an insurmountable challenge for most organisations.
While some of these alerts flag up genuinely harmful events, it is not unusual for security devices to mistakenly highlight a huge number of non-threatening events (otherwise known as 'false positives'). These put additional strain on security analysts since each event needs to be examined and resolved, diverting valuable time and resources away from 'real' security breaches. Indeed, the typical enterprise will receive thousands of false positives every hour, respond to 500,000 alarms each month and be compelled to investigate 1,000 priority incidents.
Expanding data is not the only problem caused by the current security set-up within companies. Today's security breaches take a multi-source, multi-target approach. It is, therefore, no longer enough to know what 'events' are occurring at individual points on the network; organisations need a centralised and coherent security management system to examine threats from anywhere - either inside or outside the perimeter wall.
Another problem with point security applications is that they each have their own message, log and console format, which needs to be translated into a common standard in order for them to integrate with one another. Without this common nomenclature and structure security analysts are continuously in fire-fighting mode, lacking the correct information to make informed decisions. Yet taking the right action at the right time is integral to security analysts performing their jobs successfully.
Corporate banks make investment decisions based on up-to-date, in-depth research, presented in a timely, coherent manner. In the same way, a judge in a court of law makes his decision based on a clearly defined argument and in full possession of the facts. Security analysts do not have the luxury of pondering every security alarm, and are required to make instant decisions as judge, jury and investment banker all rolled into one.
To perform their role effectively and efficiently, security analysts need a centralised security management architecture that transforms their job from one of watching multiple consoles, examining multiple databases and consulting multiple logs, to one that uses a single database, single display and a co-ordinated and common set of tools to effectively monitor and track security information.
Otherwise known as security information management (SIM), the aim of this model is not to increase the security analyst's workload, but make security management simpler. SIM software maximises the considerable investments made by organisations in security point products, detects and remediates security threats as they happen, and provides a unified view of enterprise security status that is as meaningful to business managers as it is to security professionals.
A SIM system works by collecting relevant security data from the network and feeding the information into a centralised manager, where it is stored in an efficient manner for real-time processing, audit and investigation, and regulatory compliance. SIM software deploys agents on the existing infrastructure, which can use a variety of protocols - SNMP (simple network management protocol) or syslog, and Checkpoint OPSEC for example - to collect security data and forward it to server-based managers, where events are consolidated, filtered and cross-correlated. These managers then feed the relevant information to the console of security professionals.
Presented with a correlated view of threat activity, vulnerability status and asset value, a security analyst is in a position to confidently decide on the correct response to an event and prioritise actions to minimise the overall level of risk to the organisation.
Unlike point security products, SIM software performs real-time correlation of security events across devices from disparate vendors over time. This provides the security team with a precise view of the potential danger that the organisation faces and enables it to focus its resources on the most pressing exploits.
With security unlikely to fall off the CIO's radar any time soon, it makes sense for organisations to devote every effort to extracting full value from their security resources. In today's environment where multi-source and multi-target threats are becoming the norm, point security tools on their own do not provide full protection. Instead it is how organisations use their combined strength that will stop an attack in its tracks.
Providing security information management
- Make sure that you are able to correlate security information from every level of the network – whether it is from employee log-on activity or external security breaches.
- Check that any SIM system you look at automates security information collection, as well as investigation and resolution processes.
- When calculating and reporting on security risk, ensure that other factors – such as asset value, business process role and regulatory compliance implications – are also taken into account to provide analysts with more meaningful insight into each security event.
Iain Chidgey is managing director EMEA at ArcSight