Using SIM Software to Deal with Security Overload

When IT and security managers are trying to handle 5,000 to 10,000 security incidents a second, they need a technology that will help them visualize what is happening on their network. Is SIM software the answer?
Posted December 30, 2004

Drew Robb

Drew Robb

George Washington had some excellent advice on the topic of security: ''Offensive operations, often times, are the surest, if not the only means of defense.''

Unfortunately, when it comes to securing the network, that usually isn't an option. Although it would be effective, police tend to frown on companies hiring roving bands of mercenaries to hunt down and eradicate hackers. That leaves administrators with the task of assembling a vast and expanding array of defensive security devices, software and procedures in a not always successful attempt to anticipate and prevent intrusion.

But there is only so far you can go when adding security features before it becomes an unmanageable morass. When you add up the number of intrusion detection and prevention systems, access control systems, firewalls, anti-virus, VPNs and content filters -- each logging potential breaches and issuing alerts -- it becomes impossible for one person, or even a fair-sized security team, to pursue all of the data.

''Depending on the time of day, we have 5,000 to 10 thousands events per second,'' says Dan Lukas, lead security architect for Aurora Health in Milwaukee, Wisc. ''We needed something that scaled to our size and would be proactive in watching the links in real time so we can fix it quickly.''

To bring his security management under control, he installed Security Information Management (SIM) software from Intellitactics Inc. of Reston, Va.

Alert Central

SIM is a new category of software and devices designed to help enterprises bring their security management under control. At this point, the software or SIM appliances are relatively expensive, from the tens of thousands of dollars on up. They also require dedicated security managers to watch over the SIM console, analyze the data and take the appropriate defensive actions.

As of early 2004, Gartner, Inc., a major industry research firm based in Stamford, Conn., estimated that 20 percent of Fortune 1,000 companies were using SIM. Cost and complexity, however, put the technology out of the reach of medium-sized and small organizations.

SIMs collect the syslog, Windows event log, SNMP traps or other information from all the security devices in the organization, store that information in a common database, analyze it and present it in a format that is easier for security specialists to interpret. Some SIMs also will take automatic action, such as changing the settings on a firewall in order to block an attack.

''Many companies approach SIM because they have a large amount of data that they believe contains useful information, so they buy a SIM to process all that data and extract actionable events,'' says Paul Proctor, vice president of security and risk strategies for META Group, another analyst firm based in Stamford, Conn. ''This is a flawed approach because it leads to unrealistic expectations.''

Proctor points out that SIMs are only as useful as the quality of data that is fed into them, and he warns that companies should start by listing exactly what they need to detect, and what events need to be collected, rather than simply what is already there.

''Many times, this is driven by a failed IDS project that dumps out too much data to effectively interpret,'' says Proctor. ''IDS implementations fail because organizations do not tune them properly, not because they inherently produce too much data.''

Gartner analyst Amrit Williams says that in selecting a SIM, IT administrators need to be sure to test its ability to handle the amount of data that their network will be throwing at it. Some of them will crash if they receive too great a traffic flow. But even if it doesn't shut down, it may still be too slow to analyze such a large amount of data in real time.

''You need to find out how many events per second they can handle,'' he advises. ''If they say they do real time alerting, but it takes 20 minutes to process that many feeds, it is not real time.''

Reaching Out to the Edge

Aurora Health is a non-profit health care organization servicing eastern Wisconsin. With a 24,000-member workforce, it is the state's largest private employer. Aurora uses a hub and spoke network to connect its 13 major hospitals, more than 100 clinics, 140 pharmacies and its extranets. For platforms, the organization uses mainframes, UNIX and Windows. The main data center is in Milwaukee and redundant DS3 connections link it to the five hubs located at major hospitals, which then extend connections to the rest of the facilities. The strategic applications reside on servers at the Milwaukee data center.

''That way we can easily monitor the flow into and out of our strategic applications,'' says Lukas.

His security structure includes IDS, firewalls, content filtering and anti-virus.

''We are taking the data from all those different sources and dumping it into the Intellitactics Security Manager so we can correlate the data,'' he adds.

To set it up he had Intellitactis engineers come on site for a week. The technology resides on its own Linux server. Unlike network management software, which auto discovers the devices in the network, Lukas says that they had to decide which devices they wanted to receive feeds from, and then configure those to send the information to the event collector, where it is stored in a specialized database.

Once this was set up, Lukas says he gained greater visibility into what is going on in the network.

''Sometimes when stuff is happening, you can't visualize it when just seeing the raw data,'' he says. ''But with a visualization tool, you can play events back and see what devices it is hitting and track it back. We are getting to the point where when something is happening, we can see which port in the entire network it is coming from, and there are quite a few thousand switches out there.''

Using the console, Lukas can see devices that are misconfigured or problematic and can either fix them remotely or send someone out to the site. They also have caught a fair amount of infected workstations, as well as consultants trying to log onto the network with spyware on their laptops.

''The visualization tool allows you to really see what is going on in all parts of your network,'' Lukas says. ''When people talk about data correlation, the are usually talking about the core. But we can see further out to the network edge.''

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.