IT teams are running the equivalent of a multilingual United Nations taskforce of firewalls, anti-virus, IDS/IPS, VPNs, access control and authentication systems – with the communications problems that you'd expect in managing such diverse resources.
Each point solution may make a big contribution to the company's security arsenal, but each also speaks its own language, with its own reporting structure, event logs and rules – sometimes even a stand-alone management console.
It is the constant 'chatter' of the multiple reports and consoles from each security solution that blurs the IT team's vision of what's happening on the corporate network. And without effective communications between the frontline and the IT team's command post, a true security threat could get lost in the background noise – and the fight to secure the network could be over before a defensive shot is fired.
Alert avalancheThe sheer amount of data generated by the security devices on a medium to large multi-site network is hard to grasp. Analysts such as the Gartner Group estimate that the security systems of multi-site networks with 1000+ users, including IDS, content filtering, firewalls, AV and so on, can average one security 'event' per second for every five users – a volume of data that would overwhelm any IT department. Firewalls are notorious for generating more log traffic than their built-in databases can handle. IDS systems are well-known for generating large volumes of false positives or trivial alerts – all of which distract IT team members from more essential tasks. So how do companies turn the reporting from their various security solutions into a well-organized, coherent battlefield communications unit? This is where security information management (SIM) solutions come in. SIM is a specialist development of the drive to unify network management that the industry saw in the late 90s, but focused entirely on security and security-related devices.
Security made SIMpler
The SIM concept aims to integrate the muddle of management consoles and reporting formats in corporate networks, to simplify management, provide greater visibility and improve response times. A key element of this is filtering and drastically reducing the level of data and log traffic generated by multiple solutions – giving IT staff a less cluttered, more coherent view of what's happening on and around their networks.
The SIM solution means all data and event logs are aggregated into one central reporting engine. The engine correlates the relationships between the logs and alarms produced by a company's various security devices (routers, firewalls, IDS, anti-virus, vulnerability assessment tools, authentication systems, generic and bespoke applications). Some advanced solutions can also include data and reports from the company's core business systems, such as ERP, transaction management and so on.
In this way, the SIM solution will typically filter the number of alerts from security devices down by a factor of 1000 or more. What's more, it can overlay multiple reporting logs and data streams to give IT staff a single console view of the most important security events – in much the same way that a fighter pilot can 'blackout' non-essential instruments in his cockpit to reduce distractions.
The SIM solution's 'aerial view' can identify irregular activities or attempted attacks that would otherwise be invisible without an overall view of the corporate security status. SIM can also put alerts into context, by linking to internal and external resources which document known vulnerabilities and exploits – and with an embedded incident handling and resolution system, assist IT staff in developing and delivering the best response.
SIM consoles can also allow playback of events to see what devices an alert or attack is targeting – even narrowing information down to which port in the entire network an event is originating from – ensuring that IT staff can deliver a measured and appropriate response to an event, rather than a blind panic reaction.
The upshot is that SIM helps IT staff tune out the background noise and focus on the network and security events that really matter.
Vive le ROI
So far, so good – SIM can deliver major functional and management benefits to IT teams. But what investment is needed in setting up the SIM solution? And can the functional benefits and enhanced security responsiveness from SIM make a real impact on the company's bottom line?
Like any other tool, it's important to have realistic expectations when setting up a SIM solution. Installing the SIM appliance itself is simple enough, and some advanced SIM solutions offer a high degree of automation and self-learning ability, but the IT team should still be prepared to invest time in setting up the desired monitoring functions to suit their specific needs. This way, the SIM appliance can turn the mess of security data into pearls of information and avoid 'garbage in, garbage out' syndrome.
The rewards make it worth the effort in setting up the SIM, however. Experience and early analyst findings show that following deployment of a SIM solution, an IT team of a given size is able to manage double the number of machines and devices within a matter of months – giving a very direct ROI in terms of IT team capacity and efficiency gains. What's more, this additional capacity is gained at an incremental spend of around 10-15 per cent of the IT security budget – a modest investment for such a big return.
It's also worth noting the role that SIM can play in corporate compliance – a spectre which is looming large over many CIOs and CSOs with measures such as Sarbanes-Oxley, HIPAA and BS7799-2. A SIM solution lets companies integrate security data across their existing solutions, automates the evaluation of that data, and provides a central storage, reporting and audit engine across the company's entire network infrastructure. This enables easy tracking of processes, and measurement of progress against business objectives.
Perhaps the most compelling reason for considering SIM is this. If your IT resource is going to be contacted out-of-hours over a security alert or breach, it had better be worth the interruption. With the right SIM solution deployed correctly, they will only be interrupted for a very good reason indeed.
The author is CEO of ExaProtect Technology