<img alt="dcsimg" id="dcsimg" width="1" height="1" src="//www.qsstats.com/dcs8krshw00000cpvecvkz0uc_4g4q/njs.gif?dcsuri=/index.php/it-management/Primer-Security-Information-and-Event-Management&amp;WT.js=No&amp;WT.tv=10.4.1&amp;dcssip=www.baselinemag.com&amp;WT.qs_dlk=XYjp@0Q5AdbhbgWOYR5M-AAAAAA&amp;">

Primer: Security Information and Event Management

By David F. Carr  |  Posted 2005-08-04 Print this article Print

The latest twist on how security information and event management systems are helping companies' security log information.

What is it? Security information and event management (SIEM) systems help you gather, store, correlate and analyze security log data from many different information systems. This data may prove valuable as part of a network security organization's immediate response to an attack, making it possible to see, for example, all the virtual private network connections that were active when a behind-the-firewall server came under attack. Or in the case of an incident discovered after the fact, such as the theft of credit card numbers, the system could produce reports for police and regulators from the archived log data.

Why is it important? As the volume and importance of security log data grows, it becomes crucial to store it in a compressed format and have better ways of analyzing it. Measures such as the Sarbanes-Oxley Act have emboldened auditors to require that log data be kept longer in case it is needed for an investigation. Gartner security systems analyst Amrit Williams says applying this requirement to all systems, rather than just financial ones, probably goes beyond the letter of the law. Nevertheless, many of his clients cite pressure from auditors as a reason for buying these security systems, which cost between $100,000 and $500,000.

Who are the vendors? Most major security and systems management vendors have a security information and event management offering. Gartner says the leaders are specialized software vendors, such as ArcSight, e-Security, Intellitactics, netForensics and Network Intelligence; it also gives high marks to Computer Associates' eTrust Security Command Center.

How difficult are these systems to implement? Quite difficult, says Gartner's Williams, given the complexities of gathering log data from so many systems. Most early system software required companies to set up clustered relational databases as the storage mechanism, an obstacle for organizations with little experience using them.

Network Intelligence was the first vendor to win significant market share with a system appliance, which simplified deployment because it came preconfigured with a database for storage. Other vendors, including Cisco (with its acquisition of Protego), have appliance-based offerings, and Symantec is beta-testing an appliance for release this fall. Despite the advantages of appliances, SIEM software will retain market share with customers who want more control and ability to customize than an appliance allows, or who want to extend existing enterprise storage, according to Williams.

Who is using it? Regulated industries such as utilities, financial services and health care are big on these systems. Sean Curry, infrastructure engineering manager at Calpine, an operator of electric power plants, discovered he needed a better way of managing log data after the firm started using virtual private networks, rather than dedicated telecommunications lines, to connect to 103 remote locations. That saved the company about $140,000 per month, but it also meant establishing firewalls at each of those locations, with log entries generated every time a VPN connection was established.

"We're logging 60 gigabytes of data per day, 1,200 events per second," Curry says. As the storage requirements for that data outstripped capacity, Calpine pulled older records offline. Though the records were archived on tape rather than deleted, auditors complained that they weren't readily available for analysis.

Using a Network Intelligence appliance, Calpine can retain more information online in a compressed form and produce more sophisticated reports, more quickly. Curry also runs reports for human resources on whether employees are violating "acceptable use" policies by, for instance, downloading pornography.

David F. Carr David F. Carr is the Technology Editor for Baseline Magazine, a Ziff Davis publication focused on information technology and its management, with an emphasis on measurable, bottom-line results. He wrote two of Baseline's cover stories focused on the role of technology in disaster recovery, one focused on the response to the tsunami in Indonesia and another on the City of New Orleans after Hurricane Katrina.David has been the author or co-author of many Baseline Case Dissections on corporate technology successes and failures (such as the role of Kmart's inept supply chain implementation in its decline versus Wal-Mart or the successful use of technology to create new market opportunities for office furniture maker Herman Miller). He has also written about the FAA's halting attempts to modernize air traffic control, and in 2003 he traveled to Sierra Leone and Liberia to report on the role of technology in United Nations peacekeeping.David joined Baseline prior to the launch of the magazine in 2001 and helped define popular elements of the magazine such as Gotcha!, which offers cautionary tales about technology pitfalls and how to avoid them.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.