SIM city and the network

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Unlocking digital potential: Strategies for modernizing government services
Presented By Adobe
Download Now
Unlocking public sector potential
Presented By NTT DATA
Download Now
By David Essex
 

Connecting state and local government leaders

By David Essex

|

Bill Geimer, program manager in the Chief Information Security Office at the Agency for International Development, has a huge security problem.

Bill Geimer, program manager in the Chief Information Security Office at the Agency for International Development, has a huge security problem.

Related Links

RFP checklist: Security information management

Security information management solutions (.pdf)

Michael J. Bechetti



'We have a worldwide network in over 70 different locations, in some of the most underdeveloped countries in the world,' Geimer said. More than 100 firewalls and dozens of intrusion detection systems watch for threats. Needing a centralized system to make sense of its data, USAID began investigating security information management products. 'Our need for a SIM was for the obvious reason of collecting, aggregating and correlating all the data from disparate vendors,' Geimer said.


Eventually, USAID chose the nFX Open Security Platform from netForensics Inc. of Edison, N.J. While it may be oversimplification to attribute all its success to SIM, USAID was the only agency to earn an A+ on the Federal Computer Security Report Card for both 2004 and 2005.


Although USAID was among the early adopters, other federal agencies have moved past tire-kicking to full-scale implementation of SIM in the past year. And it's more than post-9/11 policies driving government toward SIM. Such privacy and security regulations as FISMA, the Gramm-Leach-Bliley Act of 1999, and the Health Insurance Portability and Accountability Act prescribe strict guarantees that information is secure and private. That also means keeping electronic security records safe and accessible for examination and for use as evidence.


'Government agencies have deployed a myriad of security technologies, and now they want to get their arms around that information,' said Ashesh Kamdar, group product manager for Symantec Corp., a security software vendor that sells SIM appliance hardware.


Cost savings is another demand driver, as agencies take a hard look at their growing labor budgets for security and network management. 'These tools help them get out of the grunt work,' Kamdar said, referring in part to the laborious manual analysis of security event logs.


That is the situation Glen Sharlun found himself in in 2003 when he was head of the Marine Corps Network Operations and Security Command. 'We had a data overload problem,' he said. 'We had too many people doing computer work. People don't crawl through logs very well.'


After talking to government peers about why they chose their SIMs'or in some cases, replaced them'Sharlun chose the Enterprise Security Manager from ArcSight Inc. of Cupertino, Calif. The system helped free up security analysts to make decisions on threats, then respond using ESM's workflow and time-stamping features as well as Remedy help desk software.


'Most of the information coming across a firewall is noise,' said Tracy Hulver, director of product management for netForensics. 'The first thing SIM does is take all those messages and filter them down.'


Defining SIM

Because security information management is still a nascent technology, vendors of many different products claim to do all or part if it. Log management specialists such as LogLogic Inc. and SenSage Inc. play an important security role (in fact, SIM vendors integrate with their products), and some claim SIM-like features. LogLogic, for example, uses algorithms and such artificial-intelligence techniques as machine learning to make sense of unfamiliar log formats.


Another class of software and appliances that might be confused with SIM comes from the intrusion detection world, and provides enterprisewide correlation to the data stream coming from their devices. Andrew Braunberg, senior analyst for information security at Current Analysis, a market research firm, cites software from Check Point Software Technologies Ltd. and Sourcefire Inc. as examples of 'SIM lite.'


What ultimately distinguishes SIM is its ability to paint a more complete, risk-adjusted assessment of an agency's security profile. Its sensitivity to the business values of IT assets can, for example, prevent security teams from wasting hours eradicating worms from a mobile worker's laptop while a denial-of-service attack is exploding on the agency's mail server. SIM tools also help with the regulatory matters by calling special attention to threats to systems that have the greatest role in compliance. Some integrate directly with third-party compliance software.


SIM products come in two configurations: software that runs on a server platform, generally of your choosing, and network appliances that prepackage everything in a neat little box. In general, servers are more flexible and easier to scale up to meet future demand, but they can be hard to configure. Appliances help avoid most setup hassles and may offer better performance but are usually less configurable.
Performance and scalability also hinge on the type of database sitting behind the SIM tool. Relational database management systems built on familiar platforms such as Oracle Database are often more customizable, but they generally rely on software agents to collect device data. This is the approach favored by some of the biggest names in SIM, including ArcSight, Intellitactics Inc. and netForensics.


Filter or no filter?

Other SIM vendors, notably Network Intelligence Corp. and OpenService Inc., use largely agentless, proprietary databases that they claim are faster and provide analysts all available data rather than filtering it.


'We have customers who have several hundred thousand events per second, and some are going up to a million per second,' said Jim Melvin, a Network Intelligence executive vice president. Tracking all the events unfiltered makes it easier for analysts to establish baselines of normal activity against which to compare suspicious activity, and meets FISMA requirements for reporting unaltered security data.


But Steve Sommer, senior vice president at ArcSight, disagreed, describing Network Intelligence's proprietary database as a 'high-performance log collector. It's not real good at doing custom reporting or real-time threat analysis.'


Needs vary from agency to agency. Wherever you land in the agent-versus-agentless decision, spotting a threat is important, but response is what counts.


SIM tools can take up to three approaches. They can have incident response built in, providing trouble tickets and alerts that security analysts can pass along to network operations staff for remedial action. Or they can pass data and alerts directly to help desk programs. In the more low-tech third option, security and network teams use a help desk tool to enter SIM information manually.


SIM tools typically don't initiate responses without human intervention. The secured assets are too valuable, and the software is not yet smart enough to be trusted. 'Automatic response is a scary term for most customers, and rightly so,' said Sharlun, ArcSight's director of strategic application solutions. Some users program their SIM systems to take action that can be safely standardized, such as shutting down a server infected with a known, fast-moving worm.


But perhaps the most important reason SIM plays a more passive role in network security is that its functionality typically spans two groups within an organization. Any platform you choose should have features that bridge the divide.


Network operations centers and security operations centers are usually separate departments and cultures that don't always work well together. SIM is an SOC thing, but remediation often gets thrown in the NOC's lap. 'The network guys just do not like the idea of a tool going out and messing with their infrastructure,' said Paul Stamp, senior analyst at Forrester Research.


Calvin Chai, marketing manager for Cisco System's CS-MARS SIM appliance, agrees the NOC versus SOC conflict exists, especially in large organizations, but says the real issue now is a blurring of the lines of responsibility. The SOC's job used to be to define security policy and monitor threats. 'But we've seen security becoming more and more integrated into the network infrastructure itself,' Chai said.


SIM vendors see this as an opportunity to add integration and collaboration features. 'There's this historic divide between the network operations guys and the security operations guys, and there's always discussion on how to better integrate those two players,' Braunberg said.


Linking approval workflows is one obvious solution. Better data sharing is another. For example, a NOC might misdiagnose a performance degradation issue until the SOC alerts it to a possible denial-of-service attack.


Keeping pace

As network attacks have evolved into lightning-quick, so-called 'zero-day' threats, they've nearly passed by the original SIM technology. SIM came along expressly to add analysis of both historical and current security events, essentially slowing down the art of network protection. SIM vendors, among them Cisco and Network Intelligence, are now touting new features that expand their ability to offer real-time monitoring and response by analyzing network traffic streams. As a result, SIM is evolving into SIEM: security information and event management.


Moreover, agencies increasingly recognize that threats also come from inside their walls, from employees who already have access to the network and mean to do it harm. 'We have some very sophisticated U.S. government customers using us for insider threat detection,' said Sommer.


Monitoring firewalls and other edge devices helps little. 'It's harder to detect,' Sommer said of insider threats. 'You have to do different types of analysis.' So, SIM vendors have begun adding features that help spot suspicious behavior by trusted users.


While security information management can help make sense of a complex network, it's not a silver bullet. 'To think of a SIM as an all-powerful expert system'I think we're a long way way from that,' said Stamp.


Industry analysts, and even some of the vendors, say SIM products must be made easier for more people to use, especially for correlation and analysis. 'The technology, if anything, is a bit too complex,' Braunberg said. 'Where we're at now is trying to simplify and move beyond these initial pilots. Ease of use and ease of configuration and management issues are top-of-mind right now.'


The very complexity of SIM and the networks it protects make it hard to run a small-scale pilot or to get a meaningful demo from vendors. Rather, the best way to investigate SIM products is to talk to peers who have used them'including some the vendor did not recommend. 'Find someone who looks like you and is doing what you want to do, and talk to them,' Geimer said.



David Essex is a freelance technology writer based in Antrim, N.H.

NEXT STORY: Scrub Your Data, not Your Career

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.