Security Information and Event Management helps ensure your organisation does not get caught off-guard

(13/01/2009)

What’s the one security question that you don’t want to be asked about your company? I believe it’s the same question that Her Majesty the Queen raised when she visited the London School of Economics in November 2008. Describing the global credit crunch as “awful”, she asked an LSE professor: "Why did nobody notice what was happening?" Caught off-guard, the professor replied, "Someone was relying on somebody else...”

This exchange neatly sums up a key IT security problem. Companies have to rely on staff to observe reasonable security practice, on partners not to pass on malware, and so on. So just like the financial markets, a big part of security is trust. But when that trust is undermined, things fall apart rapidly.

And the problem is, it’s very hard to spot the clues that show when trust has been breached, and a security threat is emerging.

Drowning in data
Why is this? Because complex networks and security deployments throw out Gigabytes of log data every day. Although they’re vital, security systems such as IPS, IDS, firewalls and anti-virus also create problems by generating false positive alerts, often hiding emerging threats from the IT team.

A recent IBM survey of 700 European IT managers highlighted the scale of the issue. Over 45% received more than 4,000 security events per second. This volume of data swamps IT teams, and makes it almost impossible to prioritise potential threats.

And perhaps the most critical issue is delayed action. These events take time to sort through – time that can be exploited by REAL security threats. And before you know it, you could have business partners, customers or shareholders asking: “Why didn’t you notice what was happening?"

Filtering false positives
So what causes false positives? The biggest cause is insufficient alert context. Firewalls and intrusion systems don’t understand the business importance and vulnerabilities of all systems within the organisation.

For example, an attempted malware infection of a web server may be reported as a high-priority event by the firewall, even if systems have already been patched against it.

This is the ultimate aim of security management: understanding and prioritising reported activities in context. So if a threat arises, it generates an alert. But the IT team doesn’t need to know if the threat presents no risk. This gives the IT team the ability to filter the noise, and focus on real threats.

Putting it in perspective
How do you contextualise threats, and filter out the extraneous noise from networks? This is where Security Information and Event Management (SIEM) solutions come in.

A SIEM solution automates the collection, correlation and contextualisation of security log data and events, which puts what’s happening on the network into perspective – removing the irrelevant noise, and enabling focus on the important events. This makes management easier, and frees up time for the IT team. Let’s look at a real-life SIEM deployment.

SIEM saves time for Council
Denbighshire County Council in Wales has deployed Eventia Suite, an advanced security information and event management (SIEM) solution from Check Point, to reduce the cost and complexity of managing its security infrastructure. The Council's network supports Internet access for all employees, all schools within the county, as well as Internet access from local libraries. This means close control over IT security is vital to protect against threats and attacks from these multiple endpoints.

"We provide web access for a diverse range of users, so our firewalls and other security devices produce huge volumes of log data – around 1GB per day,” said Shannon Gage, technical support analyst for Denbighshire Country Council. “This made it difficult for me to do security health-checks and pro-actively identify any emerging issues or threats.

“I wanted to be able to work more efficiently and improve my network's overall security stance. Eventia Suite gives a clear, uncluttered picture of important events on the network. The analysis and reporting functions have cut the time taken for administration, and made detailed inspections of network traffic and devices easier," concluded Gage.

Eventia Suite, which includes Eventia Analyzer for real-time, automated security event correlation and Eventia Reporter for historical trend analysis, saves the Council’s IT team 2 man-days per month on administration by automating collection, correlation and prioritisation of raw security log data from the network.

By integrating security data across existing systems, and automating its evaluation, SIEM provides a single, clear view of your company’s security stance – helping to spot threats early, and enabling detailed reviews and security analyses by any party that needs to do so.

So unlike the LSE Professor and the Queen, you should always be able to notice what’s happening – and be ready to deal with it.

Related topics:  Application and software security   Data management and data security   Firewall   Network Security 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources