In-Depth

SAS and eSecurity Deliver Security Analytics

New joint solution collects, correlates and normalizes data from nearly 200 different security sources, allowing customers to perform historical trending and analysis to detect attack signatures, potential incursions, and other anomalies.

• By Stephen Swoyer
• 08/27/2003

On paper, the combination of business intelligence (BI) technologies and enterprise security practices seems like a match made in heaven.

After all, firewalls and other security devices typically generate enormous amounts of data, while BI technologies such as data mining are designed to sift through large volumes of data to determine trends, patterns, and anomalies.

Last week, SAS Institute Inc. touted just such a combination when it partnered with enterprise security services specialist eSecurity Inc. The two companies plan to jointly market a new deliverable based on SAS’ IT Security Management and eSecurity’s enterprise security management (ESM) solution.

SAS first introduced IT Security Management last year. Since then, says Dan Minto, director of worldwide strategy for IT management solutions, customers have asked for even more. “What we heard from our customers was that this was a great product and we’re really excited about it, but what we’d really like to see is an end-to-end solution, bringing together real-time, event correlation with historical trending and analytics,” he explains.

Enter eSecurity, which markets a suite of ESM solutions that collect, correlate and normalize data from nearly 200 different security sources. After security data is collected by eSecurity, it’s delivered to an SAS warehouse from which customers can perform historical trending and analysis to detect attack signatures, potential incursions, and other unusual behavior.

The upshot, says Minto, is a joint solution, available from either vendor, which can perform sophisticated analysis and trending on all of the security data an enterprise collects. “One of our strengths is being able to bring all of that data in together into one enterprise warehouse and look across it and analyze it, where most security solutions on the market are point solutions where they have to have multiple types of warehouses,” he explains.

One example of the kind of deep analysis provided by the combined SAS-eSecurity solution is the ability to detect low-profile attacks that occur over an extended period of time. “It’s easy for front-end correlation systems to miss the slow and low types of attacks. Those are the attacks that happen over time and fly under the radar screen. But by bringing them together under business intelligence, we can see them and connect them over time,” Minto asserts.

Minto argues that the convergence between enterprise security and BI is already happening. After all, he points out, SAS and eSecurity started working with each other as a result of a joint engagement with the U.S. government. “I believe that the security paradigm is really shifting … from a security-based approach (where you try to keep the bad guys out) to a risk management approach based on business needs (where security has to understand the drivers and understand the impact and make costs-versus-benefits decisions). That’s another area where BI has traditionally excelled,” he says.

Mike Schiff, a senior analyst with consultancy Current Analysis Inc., believes that the combination of the two practices makes good sense. “Most of these [enterprise security products] collect a lot of data, but who has time to analyze it?” he points out. “It’s not just enough to collect it. You also need to analyze it. So SAS is applying its data mining and analytic skills to security, and it makes a lot of sense, especially with the events of this month.”

Moreover, Schiff suggests, it’s a good potential market for SAS, which has traditionally been strong in data mining and analysis: “Analytical data mining is definitely one of their core competencies. It’s always been a competitive differentiator for them.”

Minto says the SAS-eSecurity partnership will probably grow in the future. SAS plans to design additional data analysis and data mining capabilities that will allow it to do more in the back end, he says. The two companies could add a systems integrator or storage vendor to the partnership as well. In the near-term, he confirms, both SAS and eSecurity will produce APIs for one another’s products over the next six months.