Security information management systems aspire to real-time security

Big data is coming to information security. And it's forcing security managers to take a critical have a look at their existing technology investments, mainly data collection points together with security information

SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all for gratis. Join me on SearchSecurity.com today!

Michael S. Mimoso, Editorial Director

< align='right' border='0' style='padding-left:10px;' border=0 > management (SIM) systems, to decide if they're as much as the duty of helping with real-time security analysis of event data.

In general, the industry has had to manage expectations on real time. Deep-packet inspection technologies set the tone for prevention, and that they expect an identical level of situational awareness from SIM, but don't are inclined to get it.

Joe Gottlieb, president and CEO, Sensage 

Enterprises must understand what's happening on networks in as on the subject of real time as possible. Yet experts agree that real-time analysis could be a little ambitious at this juncture, for SIM especially. Security teams should temper their expectations of what “real time” means, what SIM and other analytics technologies are in a position to, and the resources had to observe and react to security incidents in real time.

“It is ambitious, especially for SIM, since the event has to happen to get logged, sent to the SIM or log aggregator and run throughout the rules engine,” said Diana Kelley, founding father of Security Curve, a consultancy in New Hampshire. “All of this takes time and it is not real time. You are not watching live traffic like an IPS or next-generation firewall would. That's towards real time than an event dealing with a log management system that parses the info and sends it to a SIM where correlation rules are run.”

Actionable information has always been the pot of gold on the end of the SIM rainbow, but finding the treasure often gives approach to painful rule writing and integration exercises. SIM rules is really a hardship because, like any signature-based defenses, security teams ought to understand what they're looking for so that they can establish proper alerting thresholds.

“If your thresholds are too high, you are not alerted quickly enough,” Kelley said. “If they're too low, your SIM is slamming you with alerts. Understanding those thresholds is what makes rule writing so complicated.

“Log management or SIM could be great for forensics-facing and finding needles in haystacks,” Kelley added. “If you do not know where to begin, it gets problematic.”

The consequence has often been frustration with the product; companies sometimes come to be shutting off the analytics and are left with a compliance and reporting tool that during some cases can have cost greater than six figures to purchase, install and maintain. However, using SIM to its fullest would possibly not be a luxury much longer. Not just do regulations require log analysis and reporting tools, but the crush of targeted, persistent attacks against high-value government, manufacturing and financial targets could inject renewed interest in maximizing SIM investments.

Extended security information management system capabilities for real-time security
Robert Capps, senior manager of trust and safety at online ticket broker StubHub, augmented his company's SIM and monitoring technologies with fraud detection technology from Silver Tail Systems that appears for anomalies in how users interact with the positioning versus a baseline of standard traffic. He cited frustration with the lack of SIM and other network security devices to select up abuses of legitimate StubHub services perpetrated by attackers. Intrusion prevention systems (IPS), for instance, saw only legitimate network traffic, while SIM recorded successful logins with legitimate accounts created by attackers for the needs of fraud.

Capps said he believed IPS, SIM and other analytical tools weren't effective at analyzing security events, but did not have the info to support it. By taking a true-time analytics approach, he said he was ready to identify problems and alter his company's security response without changing the client experience.

“IPS is superb if someone is making an attempt to attack your firewall; it is not real good at identifying bad actors who're moving into with good traffic, especially if they're using your Web application like everyone else,” Capps said. “I'd rather have a device that announces, ‘This looks odd and doesn't fit with my transaction flows.' That was the direction i wanted to spot zero-day attacks.”

Leading SIM vendors akin to ArcSight, an HP company, Sensage and Q1 Labs (IBM) are talking about extending the capabilities in their products toward business analytics and knowledge warehousing to be able to accommodate big data analysis, essentially bringing real time into the equation. Security analysts are burdened with a virtual landslide of information from not just network security devices, but operating systems, applications or even user behaviors. Sensage President and CEO Joe Gottlieb says his company's tools already give organizations the choice of pulling security data from particular sources right into a data warehouse where correlation rules are run against smaller subsets of information flows.

“The data isn't any greater than five minutes old,” Gottlieb said. “Real time is absolutely a few mixture of sources and freshness (of information). The least common denominator is the oldest data you might have in a state machine. That indicates how real real-time is… As a rule, the industry has had to manage expectations on real time. Deep-packet inspection technologies set the tone for prevention, and they expect an identical level of situational awareness from SIM, but don't are inclined to get it.”

Data overload threatens SIM's real-time security ability
Clearly, as monitoring and reporting technologies move toward real time and more data sources are involved, the complexity eager about querying and processing events and maintaining thresholds grows too.

“If it's too ambitious, it can come again to what you try to perform. There is no it is because any organization wouldn't wish to do real-time analysis, but you should balance that with what your environment seems like and what real time means to you and the way you could manage risk,” said Michael Callahan, vp of global product and solution marketing for HP ESP.

ArcSight is also heading toward real time via improved analytics and correlation for its SIM. Callahan said customers want enhanced performance and scalability â€" faster analytics and correlation from more sources â€" in addition to more context from security events and what is happening in IT operations.

“The next piece is to broaden it to the whole organization; this offers you the chance to analyze what's your business' overall risk,” Callahan said.

Experts caution that enterprises should narrow their real-time scope, understand their environments and what attacks mean to different parts in their IT infrastructure.

“Every security team is drowning in data;  another problem with real time is that it puts more data right into a data overload situation,” said Mike Lloyd, chief technology officer at Red Seal Networks. “Enterprises are already drowning in way an excessive amount of data, and building more sensors with more data isn't really a really perfect path forward. Making the human scale together with the information in order that we are able to take action is tough and another real-time problem.”

Red Seal's products promise continuous visibility into an IT infrastructure by mapping interactions between security devices and highlighting access points which may be vulnerable. Lloyd said companies should avoid the temptation of over-investing in any area of security, including analytics, on the expense of prevention or forensics.

“That's a gigantic mistake within the enterprise,” Lloyd said. “You can't know everything at a high scale.”

Security Curve's Kelley said SIM should provide better rule sets and intelligence on attacks to its customers.

“SIM is especially strong in forensics and piecing events back together,” Kelley said. “And it's good at alerting in near real time on simpler, less complex issues.”

Dig Deeper

• People that read this also read...