George Washington had some excellent advice on the topic of security:
”Offensive operations, often times, are the surest, if not the only
means of defense.”
Unfortunately, when it comes to securing the network, that usually isn’t
an option. Although it would be effective, police tend to frown on
companies hiring roving bands of mercenaries to hunt down and eradicate
hackers. That leaves administrators with the task of assembling a vast
and expanding array of defensive security devices, software and
procedures in a not always successful attempt to anticipate and prevent
intrusion.
But there is only so far you can go when adding security features before
it becomes an unmanageable morass. When you add up the number of
intrusion detection and prevention systems, access control systems,
firewalls, anti-virus, VPNs and content filters — each logging potential
breaches and issuing alerts — it becomes impossible for one person, or
even a fair-sized security team, to pursue all of the data.
”Depending on the time of day, we have 5,000 to 10 thousands events per
second,” says Dan Lukas, lead security architect for Aurora Health in
Milwaukee, Wisc. ”We needed something that scaled to our size and would
be proactive in watching the links in real time so we can fix it
quickly.”
To bring his security management under control, he installed Security
Information Management (SIM) software from Intellitactics Inc. of Reston,
Va.
Alert Central
SIM is a new category of software and devices designed to help
enterprises bring their security management under control. At this point,
the software or SIM appliances are relatively expensive, from the tens of
thousands of dollars on up. They also require dedicated security managers
to watch over the SIM console, analyze the data and take the appropriate
defensive actions.
As of early 2004, Gartner, Inc., a major industry research firm based in
Stamford, Conn., estimated that 20 percent of Fortune 1,000 companies
were using SIM. Cost and complexity, however, put the technology out of
the reach of medium-sized and small organizations.
SIMs collect the syslog, Windows event log, SNMP traps or other
information from all the security devices in the organization, store that
information in a common database, analyze it and present it in a format
that is easier for security specialists to interpret. Some SIMs also will
take automatic action, such as changing the settings on a firewall in
order to block an attack.
”Many companies approach SIM because they have a large amount of data
that they believe contains useful information, so they buy a SIM to
process all that data and extract actionable events,” says Paul Proctor,
vice president of security and risk strategies for META Group, another
analyst firm based in Stamford, Conn. ”This is a flawed approach because
it leads to unrealistic expectations.”
Proctor points out that SIMs are only as useful as the quality of data
that is fed into them, and he warns that companies should start by
listing exactly what they need to detect, and what events need to be
collected, rather than simply what is already there.
”Many times, this is driven by a failed IDS project that dumps out too
much data to effectively interpret,” says Proctor. ”IDS implementations
fail because organizations do not tune them properly, not because they
inherently produce too much data.”
Gartner analyst Amrit Williams says that in selecting a SIM, IT
administrators need to be sure to test its ability to handle the amount
of data that their network will be throwing at it. Some of them will
crash if they receive too great a traffic flow. But even if it doesn’t
shut down, it may still be too slow to analyze such a large amount of
data in real time.
”You need to find out how many events per second they can handle,” he
advises. ”If they say they do real time alerting, but it takes 20
minutes to process that many feeds, it is not real time.”
Reaching Out to the Edge
Aurora Health is a non-profit health care organization servicing eastern
Wisconsin. With a 24,000-member workforce, it is the state’s largest
private employer. Aurora uses a hub and spoke network to connect its 13
major hospitals, more than 100 clinics, 140 pharmacies and its extranets.
For platforms, the organization uses mainframes, UNIX and Windows. The
main data center is in Milwaukee and redundant DS3 connections link it to
the five hubs located at major hospitals, which then extend connections
to the rest of the facilities. The strategic applications reside on
servers at the Milwaukee data center.
”That way we can easily monitor the flow into and out of our strategic
applications,” says Lukas.
His security structure includes IDS, firewalls, content filtering and
anti-virus.
”We are taking the data from all those different sources and dumping it
into the Intellitactics Security Manager so we can correlate the data,”
he adds.
To set it up he had Intellitactis engineers come on site for a week. The
technology resides on its own Linux server. Unlike network management
software, which auto discovers the devices in the network, Lukas says
that they had to decide which devices they wanted to receive feeds from,
and then configure those to send the information to the event collector,
where it is stored in a specialized database.
Once this was set up, Lukas says he gained greater visibility into what
is going on in the network.
”Sometimes when stuff is happening, you can’t visualize it when just
seeing the raw data,” he says. ”But with a visualization tool, you can
play events back and see what devices it is hitting and track it back. We
are getting to the point where when something is happening, we can see
which port in the entire network it is coming from, and there are quite a
few thousand switches out there.”
Using the console, Lukas can see devices that are misconfigured or
problematic and can either fix them remotely or send someone out to the
site. They also have caught a fair amount of infected workstations, as
well as consultants trying to log onto the network with spyware on their
laptops.
”The visualization tool allows you to really see what is going on in all
parts of your network,” Lukas says. ”When people talk about data
correlation, the are usually talking about the core. But we can see
further out to the network edge.”