Wednesday, September 22, 2021

Using SIM Software to Deal with Security Overload

George Washington had some excellent advice on the topic of security:

”Offensive operations, often times, are the surest, if not the only

means of defense.”

Unfortunately, when it comes to securing the network, that usually isn’t

an option. Although it would be effective, police tend to frown on

companies hiring roving bands of mercenaries to hunt down and eradicate

hackers. That leaves administrators with the task of assembling a vast

and expanding array of defensive security devices, software and

procedures in a not always successful attempt to anticipate and prevent

intrusion.

But there is only so far you can go when adding security features before

it becomes an unmanageable morass. When you add up the number of

intrusion detection and prevention systems, access control systems,

firewalls, anti-virus, VPNs and content filters — each logging potential

breaches and issuing alerts — it becomes impossible for one person, or

even a fair-sized security team, to pursue all of the data.

”Depending on the time of day, we have 5,000 to 10 thousands events per

second,” says Dan Lukas, lead security architect for Aurora Health in

Milwaukee, Wisc. ”We needed something that scaled to our size and would

be proactive in watching the links in real time so we can fix it

quickly.”

To bring his security management under control, he installed Security

Information Management (SIM) software from Intellitactics Inc. of Reston,

Va.

Alert Central

SIM is a new category of software and devices designed to help

enterprises bring their security management under control. At this point,

the software or SIM appliances are relatively expensive, from the tens of

thousands of dollars on up. They also require dedicated security managers

to watch over the SIM console, analyze the data and take the appropriate

defensive actions.

As of early 2004, Gartner, Inc., a major industry research firm based in

Stamford, Conn., estimated that 20 percent of Fortune 1,000 companies

were using SIM. Cost and complexity, however, put the technology out of

the reach of medium-sized and small organizations.

SIMs collect the syslog, Windows event log, SNMP traps or other

information from all the security devices in the organization, store that

information in a common database, analyze it and present it in a format

that is easier for security specialists to interpret. Some SIMs also will

take automatic action, such as changing the settings on a firewall in

order to block an attack.

”Many companies approach SIM because they have a large amount of data

that they believe contains useful information, so they buy a SIM to

process all that data and extract actionable events,” says Paul Proctor,

vice president of security and risk strategies for META Group, another

analyst firm based in Stamford, Conn. ”This is a flawed approach because

it leads to unrealistic expectations.”

Proctor points out that SIMs are only as useful as the quality of data

that is fed into them, and he warns that companies should start by

listing exactly what they need to detect, and what events need to be

collected, rather than simply what is already there.

”Many times, this is driven by a failed IDS project that dumps out too

much data to effectively interpret,” says Proctor. ”IDS implementations

fail because organizations do not tune them properly, not because they

inherently produce too much data.”

Gartner analyst Amrit Williams says that in selecting a SIM, IT

administrators need to be sure to test its ability to handle the amount

of data that their network will be throwing at it. Some of them will

crash if they receive too great a traffic flow. But even if it doesn’t

shut down, it may still be too slow to analyze such a large amount of

data in real time.

”You need to find out how many events per second they can handle,” he

advises. ”If they say they do real time alerting, but it takes 20

minutes to process that many feeds, it is not real time.”

Reaching Out to the Edge

Aurora Health is a non-profit health care organization servicing eastern

Wisconsin. With a 24,000-member workforce, it is the state’s largest

private employer. Aurora uses a hub and spoke network to connect its 13

major hospitals, more than 100 clinics, 140 pharmacies and its extranets.

For platforms, the organization uses mainframes, UNIX and Windows. The

main data center is in Milwaukee and redundant DS3 connections link it to

the five hubs located at major hospitals, which then extend connections

to the rest of the facilities. The strategic applications reside on

servers at the Milwaukee data center.

”That way we can easily monitor the flow into and out of our strategic

applications,” says Lukas.

His security structure includes IDS, firewalls, content filtering and

anti-virus.

”We are taking the data from all those different sources and dumping it

into the Intellitactics Security Manager so we can correlate the data,”

he adds.

To set it up he had Intellitactis engineers come on site for a week. The

technology resides on its own Linux server. Unlike network management

software, which auto discovers the devices in the network, Lukas says

that they had to decide which devices they wanted to receive feeds from,

and then configure those to send the information to the event collector,

where it is stored in a specialized database.

Once this was set up, Lukas says he gained greater visibility into what

is going on in the network.

”Sometimes when stuff is happening, you can’t visualize it when just

seeing the raw data,” he says. ”But with a visualization tool, you can

play events back and see what devices it is hitting and track it back. We

are getting to the point where when something is happening, we can see

which port in the entire network it is coming from, and there are quite a

few thousand switches out there.”

Using the console, Lukas can see devices that are misconfigured or

problematic and can either fix them remotely or send someone out to the

site. They also have caught a fair amount of infected workstations, as

well as consultants trying to log onto the network with spyware on their

laptops.

”The visualization tool allows you to really see what is going on in all

parts of your network,” Lukas says. ”When people talk about data

correlation, the are usually talking about the core. But we can see

further out to the network edge.”

Similar articles

Latest Articles