Harnessing the Flood of Security Data

IT departments are struggling to manage the deluge of security data that overwhelms their systems and their work days.
Posted February 25, 2005
By

Drew Robb

Drew Robb


According to the U.S. Congress' 9/11 Commission, one of the key elements that allowed the attacks to occur was the FBI's inability to easily share information gathered by different offices -- to coordinate and analyze that data.

But remedying this has not proven easy.

After spending as much as $170 million on custom software to address this issue, the FBI announced on Jan. 13 that it might have to scrap the software and start over.

''The FBI's long-anticipated Virtual Case File has been a train wreck in slow motion,'' Sen. Patrick Leahy, (D-Vt.) said in a statement released that day.

On a smaller scale, IT departments are having trouble managing their own security data.

''Everything was a mess,'' says Jim Patterson, security analyst for the State of Illinois Legislative Information System (ILIS). ''Even from a big vendor like Cisco, each device had its own reporting console, and there was no way to have a central point to manage them.''

To make things worse, each device didn't just require its own software, but a dedicated PC in order to avoid running into conflicts.

''We would try to gather data from all these different devices, but there was no way to correlate the information,'' Patterson adds. ''The Cisco Pix firewalls were generating so much traffic -- millions of messages a day -- that the little built-in SQL server couldn't even handle it.''

At Cisco's recommendation, ILIS turned to a new type of management software called Security Information Management (SIM), installing nFX software from NetForensics, Inc., a company focused on the SIM market and based in Edison, N.J. This allowed Patterson to aggregate all the security information into a single database for analysis and alerting.

''The netForensics has a realtime event console with a scrolling display of what is happening,'' says Patterson. ''This reduces the number of people you need to have monitoring security since everything is on one central location.''

Message Madness

SIM is an outgrowth of network log management software adapted for use with security devices and software, including firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), authorization software and anti-virus. One of the main drivers has been simply being able to make sense out of the huge amount of data that these devices spit out on a regular basis. It is impossible to manually go through the millions of messages and gain a clear concept of what is happening from a security standpoint.

''Many times, this is driven by a failed IDS project that dumps out too much data to effectively interpret,'' says Paul Proctor, vice president of Security and Risk Strategies for META Group, an analyst firm based in Stamford, Conn. ''IDS implementations fail because organizations do not tune them properly, not because they inherently produce too much data.''

Of course, when you have devices generating that much information, it can be hard to properly tune the devices, thereby reducing the number of messages.

Patterson says having a SIM has enabled the state to fine tune its firewalls and sensors.

META Group's Proctor advises that organizations shouldn't start out with the goal of cutting down on what they have. Instead, they should start by determining what they need.

''A more effective approach is to start with a detection requirements list tied to business needs, and then determine which events need to be collected to support those requirements,'' he says. ''If you take this approach, SIMs can have value.''

A Global View

Installing and configuring a SIM can be a major undertaking. Patterson says the Illinois system started out running its SIM on a single server, but found that as the number of security devices increased, he had to split it up. He is now monitoring 30 devices at three sites.

The netForensics software resides on three low-end Dell dual-processor servers -- one for collecting the data, one for the Oracle database, and a third for reporting and analysis. Larger installations require much more.

''When they embark on a large SIM project (with more than 300 audit sources/nodes) they should put aside at least $50,000 in their services budget for the vendor or a competent third-party to come in and install, and tune for appropriate business requirements,'' says Proctor. Deployments with more than 1,000 nodes are usually multi-year efforts, so set realistic expectations and project goals.''

Unisys Global Infrastructure Services of Blue Bell, Penn., for example, has three security operations centers. One is in Blue Bell, Amsterdam, another is in the Netherlands, and the third is in Wellington, New Zealand. The centers provide the company, which has 200 managed security clients, services around the globe.

Unisys Global began deploying a SIM from ArcSight, Inc. of Cupertino, Calif. in June f 2003. The final roll out will be completed this year. Once this is completed, the security analysis will be performed at three levels -- customer, regional and global. Having the global system in place lets them spot a problem in one area of the world and take action to harden security in others areas before they are hit.

''It has proven useful in helping to detect the zero-day threats out there before there is a signature available for it,'' says John Summers, Global Director for Managed Security Services. ''Our European operations center, for example, found a particular threat, what the network traffic looked like, what ports it was talking on, and we wrote a specific correlation rule to monitor data on those ports.''

Summers says that having a SIM has two main values.

To begin with, it enables them to do complex pattern detection across a heterogeneous infrastructure. This has been useful in spotting blended threats which seek to exploit multiple vulnerabilities.

The other benefit is that it is able to reduce the number of false positives, allowing them to accurately spot the true threats.

''With IDS or any security device, you get way too many messages coming in, so to handle it, people turn down the gain on their sensors so they put out less noise, but also put out less signal,'' says Summers. ''But an event correlation platform allows you to turn the gain up again and gives you a more accurate ability to detect suspicious or bad activity.''






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.