In-Depth
SIM Software Aims for SMBs
One company blocks real-time attacks, demonstrates compliance, and relays security effectiveness to executives.
Can you detect, correlate, and block attacks on your network in real time?
According to research conducted in early 2006, this year 30 percent of North American companies plan to implement a security information management (SIM) product, and one-third will do so to detect and block attacks in real time.
Historically, this is why companies have implemented SIM software. “Many SIM products started out life as event-correlation tools, making sense of the thousands of alerts produced by intrusion detection systems, and helping security folks identify really serious problems in the face of information overload,” notes Paul Stamp, the Forrester Research analyst who led the study.
SIM use is expanding beyond just attack mitigation. According to Stamp, the remaining two-thirds of survey respondents planning to implement SIM “were split evenly between wanting SIM tools to provide in-depth information to facilitate incident response and investigations, generate the reports auditors like to see as part of the compliance process, and help chief information security officers get a better understanding of how effective their security programs are.”
Struggling to Secure a Rapidly Growing Network
Such concerns recently drove WestJet Airlines Ltd. to adopt SIM software. The short-haul, low-fare carrier based in Calgary, Canada operates 61 aircraft on North American routes. Over the last five years, WestJet has devoted especial attention to “building out our infrastructure, installing multi-layer firewalls, and bringing our antivirus, anti-spam, and intrusion detection software up to date,” says Bruce Elliott, its senior manager of IT security.
Recent, rapid business growth—WestJet is now Canada’s second-largest airline, with 5,000 employees—has made detecting and responding to incidents, and gauging overall security program effectiveness, much more difficult, and thus “driven the need for increased investments in security technology,” Elliott says.
Today, WestJet manages approximately 700 servers in three locations, and sees up to 80 GB of data per day cross its networks. “Ninety percent of data generated is what we call noise. What I worry about is the 10 percent that has the potential to cause tremendous damage to the business,” he says. Manually sifting through all that data is out of the question. “Without an automated solution, it’s impossible to collect this data from the various sources, analyze the events, and then escalate the high-impact alerts—the important 10 percent—in order to take action.”
To better keep an eye on its network, WestJet began searching for SIM software to help “simplify the complexity of running our security operations.” WestJet ultimately implemented two products from Intellitactics: Security Manager (a SIM product) and SAM (an accompanying security dashboard). Elliot says the decision largely came down to what was most interoperable with WestJet’s existing, heterogeneous network, and that WestJet chose the Intellitactics software especially for its “real-time event monitoring, and ability to quickly make sense of alerts and incidents.”
SIM Software Aims for SMBs
WestJet is part of an emerging trend toward using SIM to solve more business problems and doing so in a small or medium-size business (SMB). Whereas earlier generations of SIM tools were aimed at large organizations with the time and resources to tune and maintain the software, SMBs increasingly require such tools but don’t want to dedicate time or resources to installing and maintaining them.
“SMBs want simpler SIM tools,” notes Forrester’s Stamp. In particular, they want “leaner SMB SIM tools that aren’t super-scalable but provide a simple, clean interface that will display a set of real-time statistics and trending reports, while giving users the ability to drill down for deeper information where necessary.”
This more automated type of approach, however, requires some compromises, so vendors of SMB tools tend to pursue the 80/20 rule, and focus on the most likely problems an SMB would encounter, says Stamp. “SMBs need enhanced usability and ease of deployment, rather than the ability to cover every eventuality.”
Related Articles:
About the Author
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.