In-Depth

Security Event Management: It Pays to be Proactive

To resist downtime and attacks, many organizations are turning to security event management software, which collects and analyzes information from a variety of devices, PCs, servers, and firewalls, giving security administrators a consolidated view of network security.

• By Mathew Schwartz
• 06/09/2004

Deciding how to budget is difficult, but here’s a rule of thumb: experts say that to truly resist downtime and attacks, be proactive. Catch attacks or configuration errors early and you'll keep your networks running and minimize interruptions. Historically, however, it’s been difficult to see what’s actually happening in the enterprise without being overwhelmed by information.

That's where security event management software comes in.

Not having a clear view impedes good security practices. In fact, though enterprises (rightly) worry about the threat of hackers, 70 percent of network outages stem not from outside attacks but internal problems, says event management software maker eIQNetworks. Internal problems encompass not only malicious insiders but also incorrect device settings. Both can also lead to network downtime. Restoring a network can be time-consuming and difficult. Organizations often spend 90 percent of the time needed to do a restore simply attempting to identify the cause of an outage, the company says.

To catch attacks or configuration errors early, many organizations now use security event management software, available from a number of vendors, including GuardedNet, NetIQ, and Symantec. The software collects and analyzes information from a variety of devices, PCs, servers, and firewalls, to give security administrators a consolidated view of network security.

Companies can use such an approach “to proactively provide them with the critical information they need to stay steps ahead of mounting vulnerabilities, threats, and attacks from inside the network, as well as gain insight into systems usage to meet various regulatory requirements,” notes Jeff Wilson, an Infonetics analyst.

Regulations often advocate just such a proactive security stance. “New regulations require organizations [to] keep track of and prevent unauthorized users from gaining access to sensitive information,” says Vijay Basani, CEO of eIQnetworks. Such regulations include Sarbanes-Oxley, Gramm-Leach-Bliley in the financial services sector, and for health-related organizations, the Health Insurance Portability and Accountability Act. As a result, “organizations need to understand the sensitive exposure of their infrastructure—servers, applications, and business—to various attacks and vulnerabilities.

Overworked security administrators often crave a consolidated, real-time view of system and event logs to see the network’s overall health and better understand how (or if) a system is compromised or misconfigured, without checking each machine individually. Instead of constantly assessing every machine, security event management software lets security managers monitor the network and remediate severe threats immediately.

Most event-management software uses software agents, running on all monitored machines, to pipe critical data back to a central server, which watches for such things as misconfigurations, intrusions, out-of-date virus settings, or unapplied patches. Other software goes a step further with an agent-less approach, which can simplify administration.

For example, eIQnetworks’ SystemAnalyzer, which runs on Windows NT, 2000, 2003, and XP operating systems, can automatically discover (and continue to automatically discover) the network-attached systems and devices running those operating systems as well as Linux- and Unix-based systems and devices, including applications, directory services, print server events, and security.

Regardless of the collection method, all security event management software collects a range of data from devices it’s watching, then consolidates, correlates, and analyzes it to discern—in near-real-time—active attacks, vulnerabilities, or other threats.

“With our large server and workstation installation, it would be nearly impossible to have a handle on the health of all our systems without a centralized event management and analysis solution,” notes Rod Young, a system administrator for Dollar Financial Group. Dollar uses eIQnetworks’ software to monitor “any attempted unauthorized access to our systems,” he says, which is essential for preventing information loss or system downtime. Young says such software also reduces time spent administering the network, and lets Dollar ensure critical systems are always running.