>> continued from previous page
The Position
Why such confusion? The vendors are aiming at vastly different goalposts. Talk to IDS vendors, and you'll likely hear about pushing higher bandwidth levels and reducing false positives. Sit down with the firewall folks, and you'll end up discussing new features, bandwidth, features, bandwidth and, most likely, more features. Intrusion-prevention vendors? They'll talk your ear off about why you should spend money with them and not with the IDS vendors.
You can't pick just one of these technologies, either. Today's information-security efforts require the deployment of an assortment of products from a wide range of vendors. It's not uncommon to employ firewalls, HIDSs (host-based IDSs), NIDSs (network-based IDSs), VPN concentrators, authentication systems, antivirus solutions, VA (vulnerability assessment) tools, general-purpose log parsers and an assortment of other security-specific applications. Rarely are two or more of these products from any one vendor -- and we don't think that trend is going to change any time soon. When it comes to security, "best of breed" is in.
Some of the larger software providers may disagree with us as they continue to push their "single source" messages, but based on market-share statistics we don't think the market agrees with their ideas, either. Check Point Software Technologies and Cisco Systems dominate the enterprise firewall industry, according to Infonetics Research, a San Jose, Calif.-based market-research firm. And Cisco, Internet Security Systems (ISS) and Symantec top the charts for hardware-, network-software- and host-based intrusion-detection products, respectively, according to IDC's Kolodgy.
Kolodgy says BindView Corp. has 28 percent of the vulnerability-assessment market. The antivirus, VPN and PKI (public key infrastructure) fields have their own leaders, too.
So, assuming that Check Point, Cisco, Enterasys Networks, Hewlett-Packard Co., IBM, ISS, Microsoft, Network Associates, Sun Microsystems and Symantec aren't going to merge any time soon, we can safely conclude that security teams will continue to be faced with cross-platform, cross-vendor, cross-device challenges. These heterogeneous security environments create interesting problems in several areas:
>> Management challenges. Trying to manage multiple, disparate devices with a single application is virtually impossible. Each platform has its own administrative tools, and fully functional management platforms are still a ways off. Cross-device complexities can create other operational challenges as well. For example, trying to keep a routing policy enforced across multiple VPN, router and firewall devices can be extremely difficult in large deployments.
>> Interoperability challenges. Most different types of devices simply can't communicate effectively with each other. While movements like Check Point's OPSEC (Open Platform for Security) effort and advances in standardized alert formatting may help solve this problem, today's security devices have a standalone mentality. For example, Foundstone's VA tool isn't going to reprogram Enterasys' IDS to look for an attack against Microsoft's latest OS vulnerability, and the neighboring Cisco IDS can't tell NetScreen Technologies' firewall to log all traffic to and from a particular address based on what the IDS just witnessed. Is each of the products capable of standalone tasks? Yes. Does the data exist for this type of combined effort? Yes. Is this functionality possible? Absolutely. Can today's products effectively execute on this vision? Not by a long shot.
>> Data-analysis challenges. SNMP and availability-monitoring packages have helped us with the basics. We can now check for utilization levels and availability, for example, and tie these basic monitoring services into our larger network framework products (such as CiscoWorks, HP OpenView and IBM Tivoli). In addition, many organizations have adopted syslog as the universal "log piper," sending router, firewall and sometimes even IDS data to a centralized data store. But who reads those logs? Who sorts them? How are they stored? And how can we leverage the intelligence gathered from that Cisco router with that Check Point firewall and that Snort IDS appliance?
While all three of these areas (management, interoperability and data analysis) present significant challenges to security practitioners, they are indeed separate issues. The data aggregation and correlation product space attempts to address the data-analysis challenge -- not interoperability or device management. This is important, as we've seen aggregation and correlation products from companies like netForensics confused with command-and-control solutions, such as Ponte Communications' nsControl, which address device-management issues.
Much of the confusion is vendor-sponsored. Upon visiting the Web sites of many of the "aggregation and correlation" vendors, we were barraged with terms such as "real-time forensics," "security event monitoring," "real-time threat management" and "enterprise security management." After spending a few minutes behind the Web browser, our heads were spinning; many of those phrases describe features found in other product spaces. We're not sure who's more confused -- the marketing departments that are flooding the scene with these messages, or the industry that's choking on their wake.
Regardless, heterogeneous enterprise security environments face management, interoperability and analysis challenges. Today's organizations require different solutions to address all the issues. The day may come when the industry is presented with the all-encompassing, interoperable command, control and analysis solution, but we're not holding our breath. Today's vendors are struggling to tackle just one of these problems, much less all three.
The Value Proposition
It's not hard to justify the need for security data correlation. Justifying the accompanying purchase and deployment costs, on the other hand, is more difficult. Software pricing alone starts at $26,250, and this number pales in comparison with the labor costs associated with deployment and integration efforts. The value a SIM product adds to an organization's security program depends directly on several variables: the size of the organization, the number of security events the organization faces, the number of security devices the organization monitors and the utilization levels of the security team. Depending on where your organization is in its efforts and positioning, SIM solutions may or may not add enough value to justify their costs. There is no question that the technology can help security personnel be more efficient; the question is how much more efficient.
SIM products offer a number of useful functions, but the two heaviest hitting are in the areas of incident investigation and data abstraction. Organizations that have already handled network-based security incidents know the drill all too well: start digging through the logs, attempt to identify the attacker's IP address (or ranges) and begin the data-gathering efforts. The manual correlation process alone can have administrators logging into multiple systems, using multiple consoles, and digging through firewall, IDS, router, system and Web logs. SIM products can reduce these efforts to a few mouse clicks.
On the abstraction front, if the security team faces a few dozen alerts a day, its workload is probably still manageable. Increase that number to a few thousand (or higher), and the task is no longer trivial. In addition, ask any IDS operator how he or she spends the majority of his or her time and you'll hear grumbling about sifting through alerts and prioritizing events. By giving operators a more strategic view of inbound alerts, combined with a more efficient way of sorting and viewing the data, you've just made their job a lot less time consuming.
If your organization knows how many events it investigates, how long getting those logs sifted and sorted takes, and roughly how many events are missed based on sheer operator overload, you're on your way to estimating what a SIM solution can do for your security program. But after spending a few months with these products, we determined that the packages are not for everyone.
The Reality
As with any new product space, the players here are young, the solutions are immature and early adopters are in for an interesting (and eventful) ride. We took six of these products -- all data-analysis solutions -- for a test drive in our Neohapsis partner lab, in Chicago, and found ourselves engulfed in a fiery wreck, time after time. Getting databases configured, software installed and communication channels operating, and touching every single security device to be monitored was a quite challenging and resource-intensive process, to put it mildly. Once we had the products running, their value to a large enterprise was immediately obvious. But the products are complex, installation times are long, documentation is poor, crash helmets are needed, and these solutions just won't get going without help from professional services and a few sacrificial chickens. Aggregation and correlation products could very well turn into the ERP (enterprise resource planning) systems of the security space: costly and painful solutions that become incredibly strategic platforms once deployed.
This is where enterprise security operations is headed, and we find it hard to envision corporate security efforts existing in the future without aggregation and correlation capabilities. However, it remains to be seen whether these services will continue to be supplied by smaller, third-party players, or whether the big boys, like Cisco, Enterasys, ISS and Symantec, will get a clue, start making nice with other vendors and look at launching their own solutions. Time will tell.
Greg Shipley is the CTO for Chicago-based security consultancy Neohapsis. Please send your comments on this article to him at gshipley@neohapsis.com.
REPORTS
ANALYTICS
Follow 
