In-Depth

Updated Security Information Manager Tackles Massive Event Logs

SIM adds real-time capabilities but compliance, not threats, stills drives this market

Last week Symantec Corporation announced revision 4.5 of its Security Information Manager (SIM). The updated appliance, which started shipping at the end of 2006, adds real-time response capabilities, more prepackaged queries and correlation, and support for more event log sources making for faster deployments.

Yet the entire pack of security information managers, also known interchangeably as security event managers (SEMs), remains a tight pack. Although most offer some real-time threat analysis and response benefits, compliance monitoring remains the stronger purchase motivator.

Combine all of the security logs from servers, endpoints, databases, IDSes, and firewalls and IT managers can gain valuable insight to past, current, and impending security threats. The logs also give auditors the evidence of compliance to both corporate and regulatory IT mandates. Depending on the specific regulations (which range from PCI to SOX to HIPAA), logs must be retained anywhere from 30 days to 7 years.

Fergal Lyonf, a Symantec product manager, summarized the basic need for SIM: “Corporations are facing a massive proliferation of data, and tracking the data from a proliferation of security products (such as antiviruses, firewalls, vulnerability scanners, IDS, etc.) is a mess.” As the corporate data stores grow, the difficulty in managing the security infrastructure grows.

Depending on whose numbers you believe, the number of security events in a Fortune 500 company is close to 250,000 per second, and the storage devoted to storing events for 2007 is estimated at 1,950 terabytes. Even if believe the true rate is much less, Fortune 5000 and major institutions are clearly deluged by events, and the event numbers are expected to double in less than three years.

Those events are not confined to threats. Logs from databases and applications are thrown into the event pot.

Log Overload

If my eyeballs have difficulty maintaining their discipline reading logs from just a handful of servers and key workstations, imagine the task corporations face in manually analyzing individual logs. Even when automation is applied in the form of Syslog or other event consolidators, the process isn’t useful for real-time responsive, nor good for correlating events from across departments, nor monitoring blended threats such as phishing. Using logs to produce compliance information is a substantial effort.

That’s the entry point for SIMs/SEMs. One role is the event log consolidator. For example, Symantec’s newer SIM has a collector library that taps into about 120 different event-log sources. The collection facilitates the enterprise security view by including parameter systems such as firewalls and vulnerability scanners, central systems such as databases and e-mail systems, and client/host-based systems such as antivirus software and operation-system logs.

Symantec’s SIM, like many competing products, applies compression to reduce log storage space. Symantec’s twist is that is first categorizes and normalizes the events, adding an integrity check, and storing the result in a proprietary format readable only by the appliance. Symantec claims the technique retains the needed information for forensic examinations and should survive chain-of-evidence challenges in administrative or judicial proceedings.

The normalization is based on effects, mechanisms, and resources (EMR), a potential Internet Engineering Task Force (IETF) standard for categorizing security events. The eventual long-term benefits from this work will be faster recognition of threats and better analysis of compliance.

One Symantec assertion that rings true is the newly-minted appliance’s ability to correlate 30,000 events per second. That speed is more important for real-time threat detection where a single security system, such as a firewall or IDS, can’t produce the combined analysis that signals the threat.

Symantec also brings to the game its DeepSight alert server with its usual vulnerability tracking, emerging threats, IP address watch list, and black holes list to complement the appliance’s analysis capabilities. In operation, the system can reduce incident and remediation recognition time, prioritize security incidents, and tie into help desk systems and asset management systems to assign trouble tickets and track remediation history.

Additionally, Symantec ships about 220 queries for typical operational and management reports and includes the expected forms and tools for building both ad hoc and standing queries for distribution.

Speedy Implementation

According to Symantec, implementing the appliance from out-of-the-box to base functionality usually takes a week. The time to full deployment usually follows the 80-20 rule and varies widely. Scalability comes from using multiple devices, and Symantec reports some customer deployments covering 30,000 to 150,000 endpoints. Generally, costs start at around $50,000 and most corporations have at least one full-time employee tending the development and feeding of the box.

Paul Stamp, senior analyst at Forrester, likes what he sees. “The new version of Symantec’s SIM is a huge improvement over the previous efforts and backfills a lot of weakness, particularly the retrospective viewing of events,” he notes.

However, Stamp also adds salt to some of the claimed real-time capabilities. “Be careful when viewing the claims of events correlations per second. Everyone can do it. Symantec does have a good implementation and can do the correlation faster, but there are others like ARCSight and Network Intelligence.”

Stamp recognizes that intrusion-detection systems and firewalls are more mature and battle-hardened than SIMs/SEMs. Hence, firewalls and IDS remain the top two real-time threat defense lines. He also sees the SIM/SEM market more for compliance than threat analysis, “but neither defense spotlights all nuanced attacks and violations, both from the outside world and inside the house. That’s a role that SIM/SEM fills.”

Symantec’s SIM 4.5 does bring better capabilities to an evolving security and regulatory battlefield. Aimed at medium to large enterprises and institutions, SIM 4.5 is one of several competitors that will continue evolving as a real-time security threat analyzer. More importantly, Symantec and others will aid significantly in reporting compliance success and managing the burgeoning event-log morass.

Must Read Articles