Harnessing the Flood of Security Data

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
According to the U.S. Congress' 9/11 Commission, one of the key elementsthat allowed the attacks to occur was the FBI's inability to easily shareinformation gathered by different offices -- to coordinate and analyzethat data.

But remedying this has not proven easy.

After spending as much as $170 million on custom software to address thisissue, the FBI announced on Jan. 13 that it might have to scrap thesoftware and start over.

''The FBI's long-anticipated Virtual Case File has been a train wreck inslow motion,'' Sen. Patrick Leahy, (D-Vt.) said in a statement releasedthat day.

On a smaller scale, IT departments are having trouble managing their ownsecurity data.

''Everything was a mess,'' says Jim Patterson, security analyst for theState of Illinois Legislative Information System (ILIS). ''Even from abig vendor like Cisco, each device had its own reporting console, andthere was no way to have a central point to manage them.''

To make things worse, each device didn't just require its own software,but a dedicated PC in order to avoid running into conflicts.

''We would try to gather data from all these different devices, but therewas no way to correlate the information,'' Patterson adds. ''The CiscoPix firewalls were generating so much traffic -- millions of messages aday -- that the little built-in SQL server couldn't even handle it.''

At Cisco's recommendation, ILIS turned to a new type of managementsoftware called Security Information Management (SIM), installing nFXsoftware from NetForensics, Inc., a company focused on the SIM market andbased in Edison, N.J. This allowed Patterson to aggregate all thesecurity information into a single database for analysis and alerting.

''The netForensics has a realtime event console with a scrolling displayof what is happening,'' says Patterson. ''This reduces the number ofpeople you need to have monitoring security since everything is on onecentral location.''

Message Madness

SIM is an outgrowth of network log management software adapted for usewith security devices and software, including firewalls, IntrusionDetection Systems (IDS), Intrusion Prevention Systems (IPS),authorization software and anti-virus. One of the main drivers has beensimply being able to make sense out of the huge amount of data that thesedevices spit out on a regular basis. It is impossible to manually gothrough the millions of messages and gain a clear concept of what ishappening from a security standpoint.

''Many times, this is driven by a failed IDS project that dumps out toomuch data to effectively interpret,'' says Paul Proctor, vice presidentof Security and Risk Strategies for META Group, an analyst firm based inStamford, Conn. ''IDS implementations fail because organizations do nottune them properly, not because they inherently produce too much data.''

Of course, when you have devices generating that much information, it canbe hard to properly tune the devices, thereby reducing the number ofmessages.

Patterson says having a SIM has enabled the state to fine tune itsfirewalls and sensors.

META Group's Proctor advises that organizations shouldn't start out withthe goal of cutting down on what they have. Instead, they should start bydetermining what they need.

''A more effective approach is to start with a detection requirementslist tied to business needs, and then determine which events need to becollected to support those requirements,'' he says. ''If you take thisapproach, SIMs can have value.''

A Global View

Installing and configuring a SIM can be a major undertaking. Pattersonsays the Illinois system started out running its SIM on a single server,but found that as the number of security devices increased, he had tosplit it up. He is now monitoring 30 devices at three sites.

The netForensics software resides on three low-end Dell dual-processorservers -- one for collecting the data, one for the Oracle database, anda third for reporting and analysis. Larger installations require much more.

''When they embark on a large SIM project (with more than 300 auditsources/nodes) they should put aside at least $50,000 in their servicesbudget for the vendor or a competent third-party to come in and install,and tune for appropriate business requirements,'' says Proctor.Deployments with more than 1,000 nodes are usually multi-year efforts, soset realistic expectations and project goals.''

Unisys Global Infrastructure Services of Blue Bell, Penn., for example,has three security operations centers. One is in Blue Bell, Amsterdam,another is in the Netherlands, and the third is in Wellington, NewZealand. The centers provide the company, which has 200 managed securityclients, services around the globe.

Unisys Global began deploying a SIM from ArcSight, Inc. of Cupertino,Calif. in June f 2003. The final roll out will be completed this year.Once this is completed, the security analysis will be performed at threelevels -- customer, regional and global. Having the global system inplace lets them spot a problem in one area of the world and take actionto harden security in others areas before they are hit.

''It has proven useful in helping to detect the zero-day threats outthere before there is a signature available for it,'' says John Summers,Global Director for Managed Security Services. ''Our European operationscenter, for example, found a particular threat, what the network trafficlooked like, what ports it was talking on, and we wrote a specificcorrelation rule to monitor data on those ports.''

Summers says that having a SIM has two main values.

To begin with, it enables them to do complex pattern detection across aheterogeneous infrastructure. This has been useful in spotting blendedthreats which seek to exploit multiple vulnerabilities.

The other benefit is that it is able to reduce the number of falsepositives, allowing them to accurately spot the true threats.

''With IDS or any security device, you get way too many messages comingin, so to handle it, people turn down the gain on their sensors so theyput out less noise, but also put out less signal,'' says Summers. ''Butan event correlation platform allows you to turn the gain up again andgives you a more accurate ability to detect suspicious or bad activity.''

Submit a Comment

Loading Comments...