News

Security information management comes of age

Angus Kidman
Any security platform worth its salt produces log data, but in a large network running multiple systems and protocols it's impossible to monitor this accurately by tracking individual data sets. A well-developed security information management approach minimises the number of consoles that security professionals have to monitor, aggregating this data into a single easier-to-manage platform. (Security information management is generally considered to be restricted to this capturing and monitoring function, rather than the broader practice of information security management strategies, which also incorporates other technological, business and people management elements.)
"The value of SIM products was profoundly simple in concept," Forrester analysts John Kindervag and Andrew Jaquith noted in a recent technology overview. "They transformed noisy, low-level security event information generated by firewalls and intrusion detection system (IDS) devices into alerts that could be readily comprehended by security analysts."
As with any monitoring system, data capture and processing can take place in a number of locations. While a SIM platform can simply collect raw data from system agents and process it on a central server, in practice data is often filtered by those agents as well before transmission. That approach has two potential benefits: avoiding clogging network traffic and reducing the risk of information overload.
Despite the relative maturity of the technology (examples date back to 2000), SIM platform deployment is far from a given. According to Forrester analyst Jonathan Penn, SIM rollouts are more typical within organisations with a large security spend than amongst more budget-minded corporations.
One driving factor in the adoption of SIM systems in recent years has been increased adoption of the Payment Card Industry Data Security Standard (PCI DSS), which mandates tracking all use of payment cards. Its introduction in 2004, and a series of subsequent updates, provided a fresh impetus for the installation of SIM systems in retail and financial environments.
"The PCI log management requirements are very specific and include explicit guidance on how logs should be handled so that they cannot be tampered with," note Kindervag and Jaquith. "SIM vendors have tuned their market message and technical feature sets to meet this requirement precisely."
A key distinguishing feature amongst SIM platforms is the degree of aggregation that takes place. Data normalisation is often used to try and reduce the amount of information security pros have to process when identifying trends and potential problems within a SIM platform, and to ensure that data is available for governance tracking. For instance, CA's Enterprise Log Manager, released in April this year, includes a large number of preconfigured reports designed to link security trends into existing legislative and compliance requirements.
However, if a major problem is discovered, then manual sifting through raw data is often required to accurately track questionable transactions and events, since normalised information generally won't contain sufficient data to identify specific instances of problems.
Integrating security information management systems with more general network monitoring is often held up as a worthwhile goal, since both make use of similar methodologies (collection and analysis of log-style data) and both are concerned with risk management and maximising system availability. In practice, however, the high volume of alerts which a security system alone can generate, even when normalisation and aggregation techniques are used, often makes that approach impractical.
Increasingly, SIM platforms are being used not just for traditional IT security, but for integration with physical security systems such as camera monitoring. IDC estimates the market for SIM platforms used purely for physical security will top $US5.3 billion by 2013.