Report: Security Management Convergence via SIM (Security Information Management)—A Requirements Perspective

P1: GAD

pp1127-jons-480643 JONS.cls February 4, 2004 16:43

Journal of Network and Systems Management, Vol. 12, No. 1, March 2004 (C©2004)

ReportEdited by Paul Brusil

Security Management Convergence via SIM(Security Information Management)—ARequirements Perspective

Diana Kelley1

1. INTRODUCTION

If IT and networking resources are scattered across an enterprise, then therisks and vulnerabilities inherent to these resources are also distributed across anenterprise. Attacks can similarly be distributed across many enterprise resources.Until recently, there has been no ability to determine from one place the compositesecurity state of an enterprise. To fill this void, attention is now being given tointegrating disparate observations of local security matters into a single rolled-upview of the composite security state of an enterprise.

These efforts are referred to as Security Information Management (SIM) orSecurity Event Management (SEM) or Security Event Correlation and Aggrega-tion. They address an enterprise’s need to aggregate and correlate alert information,log and event information, and any other elementary information relevant to se-curity from enterprise resources such as networking devices of all sorts, diversesecurity products (such as firewalls, intrusion detection systems and anti-virus soft-ware), heterogeneous operating systems, applications and databases. The intent isto create a coign of vantage from which an enterprise can intelligently manage ex-posure, risk, and vulnerabilities. The aggregate of enterprise resources produces aplethora of security-relevant information in the form of logs, SNMP traps [1], andother reporting mechanisms. But converging such security information together isa nontrivial task [2]. However, it is a necessary task to efficaciously support foren-sic work, identify where attacks occurred, isolate what attacks may be occurringand prevent future attacks by closing threat windows

The SIM arena grew organically as proprietary offerings from a variety ofvendors, such as early entrants eSecurity and NetForensics rather than from a

1Security Strategist, Computer Associates, 5 Roberts Road, Amherst, New Hampshire 03031. E-mail:[email protected]

137

1064-7570/04/0300-0137/0C©2004 Plenum Publishing Corporation

P1: GAD


138 Kelley

concerted standards effort via bodies such as the IEEE or the IETF. This growthpattern has created an industry that is attempting to retrofit standards after thefact. The result is an industry that is built on vendor offerings, with each ven-dor attempting to provide as much coverage as possible by accepting inputsfrom the large and varied security and management products used in theEnterprise.

Indeed, the importance of SIM, and the need to introduce some standardiza-tion into the space, has recently spawned a new industry effort called the OpenSecurity Exchange (http://www.opensecurityexchange.com/info/mission.html) thatpromotes de facto enterprise-wide standards for integrating the management ofsecurity products and for exchange of convergent security-relevant data. The Ex-change was founded by companies such as Computer Associates Intl., GemPlus,and HID on April 14th, 2003. The mission of the Exchange is to act as a pre-standards body that will provide “vendor-neutral interoperability specificationsand best-practices guidelines in the area of security management.” The intent ofsuch integration and convergence is to minimize an enterprise’s security threatexposure while lowering total operational cost.

To provide aggregate security management intelligence, SIM products must“focus on the mission, collection of sources and information, collation and man-agement of the collected intelligence, analysis and assessment” [3]. To deliverthis intelligence, SIM products must gather, collate, manipulate, and analyzebits and pieces of security-relevant data from across an enterprise. The datacan be analyzed for adherence to policies, such as firewall rule sets and ac-ceptable login times. Most SIM products identify policy violations and othersecurity vulnerabilities and send alerts to administrators so action can be taken.Some SIM products also support automated responses that can prevent furtherrisk by taking action such as shutting down ports on a firewall or a specificaccount on a server. SIM products also supply forensic capabilities by corre-lating event information across a variety of systems and enterprise resourcesinto a single console or report. As such, SIM solutions give managers a holis-tic view of the composite of the security state across an entire enterprise so thatrisks can be addressed and remediated quickly, before attacks occur, and on-going security breeches can be thwarted. To instigate corrective actions, someSIM products can formulate and communicate security management control ac-tions to one or a variety of security products and/or security-enabled enterpriseresources.

Key to a successful enterprise-wide integration of security-relevant informa-tion and security events is a thorough understanding of the security managementinformation integration needs of an enterprise. In order to select an effective SIMsolution capable of providing security management intelligence to an enterprise,the underlying business and technical drivers need to be addressed. Examples ofthese requirements and associated issues are discussed.

P1: GAD


Security Management Convergence via SIM 139

2. BUSINESS CONSIDERATIONS

Enterprises need to understand the problems they are trying to solve withSIM before they can select and build a working solution. Some enterprises wishto address issues like the one outlined earlier. Other enterprises may not need real-time coverage, but instead have very in-depth reporting needs for forensic use.There are many possible goals to accomplish with SIM technology. It is criticalto understand explicitly the problem and requirements that a SIM solution mustaddress in a specific enterprise. The following highlights some of the most commonareas SIM product buyers should review before evaluating SIM solutions.

2.1. Distributed Management—Geographical

What does an enterprise look like geographically? Are all security compo-nents housed in a single data control room? Where are the IT and network com-ponents that are collecting security-relevant data and events? Are they distributedthroughout a building connected by a public backbone? Are the security productsscattered throughout multiple offices around the country or the globe? Is there anManaged Security Services Provider (MSSP) that homes and manages some ofthe security components at a remote site?

The answers to these questions lead to requirements that will help determinewhich SIM solutions best fit the enterprise. If the SIM information is going totraverse public networks at any time, it must be secured in transit. UnencryptedSNMP traps may be acceptable on a closed network, but they are a major vulnera-bility when passed over public ones. Another geographic consideration is remotesecurity management of security products via a centralized SIM station/ console.SIM consoles, depending on their level of control over the security products theymanage, can be attractive attack targets. If an enterprise needs to support remoteaccess to a SIM station/console, then access to the SIM station/console has to beprotected with best practices such as strong authentication of parties attemptingto use the station/console, potential role-based access to different integrated viewsof the aggregated security information, encrypted data transfer, and hardening ofthe console OS and application.

2.2. Distributed Management—Political

Who manages the systems and resources monitored by the SIM? Who willbe responsible for the SIM itself? Many enterprises have complex organizationalstructures that can convolute the responsibility chain. Other organizations havecomplex partnering and shared network spaces that complicate the ownership issue.If the SIM solution is to be owned by one group but will interoperate with, provisionor remediate products that belong to another group, organizational boundaries willbe spanned.

P1: GAD


140 Kelley

Ownership of the products to be managed via a SIM product needs to bedetermined. Owners’ acceptability of monitoring and control via a SIM productneeds to be determined. If a SIM solution cannot hear or see the security-relatedactivity and events in certain parts of the enterprise, there will be vulnerabilitiesfor the entire enterprise.

Can code be loaded on specific security devices? If not, an agent-based SIMsolution may not be a good fit. Is it acceptable for the device to be managedautomatically by a SIM product? If the answer is no, potential SIM solutions mayhave to support passive listening mode only.

2.3. Workflow Process Integration

SIM solutions can be viewed as a workflow process for security. If workflowand change management control is an enterprise priority, the SIM solution mustsupport these needs. For enterprises that have automated all or part of their work-flow process, being able to integrate their existing solution with the SIM solution isa key consideration. Buyers should assess the current state of their workflow pro-cess and determine with which other systems it needs to interconnect. Is it tied intoan ERP system and does the SIM solution need to monitor the ERP? Does it supportXML? If so, SIM products with XML support may be better choices—dependingon the priorities of all the SIM requirements.

2.4. Standards

If an enterprise only needs to manage a handful of security devices such asfirewalls from a single vendor, there may be no need for a SIM solution. As such, aninventory of the enterprise resources to interact with a potential SIM solution is key.How many heterogeneous firewalls are there? What about numbers and types ofanti-virus packages, network intrusion detection systems, host intrusion detectionsystems, and network devices and system resources that need to be included inthe domain of enterprise resources to interwork with a SIM solution? How manydifferent types of internal systems, applications, security products and so on mustthe SIM solution be capable of monitoring, merging their security-relevant outputs,and/or controlling their security-relevant parameters?

The list of such enterprise resources may need to be complemented with aprotocol list. A SIM solution must be able to communicate with, and speak thesame languages, as all security and security-enhanced devices in the enterprise.Also, SIM solutions should be able to normalize the varied protocols and reportedinformation. An emerging standard for threat data normalization is CVE (CommonVulnerabilities and Exposures) [4]. If an enterprise wants to use CVE information,a CVE-compliant SIM solution will be required.

Normalizing all the security-relevant observations and events to comparableor common points in time may also be a requirement. But, does the enterprise

P1: GAD



have a requirement for what types of temporal-based normalization algorithms areacceptable?

The International Organization for Standardization (ISO) has a code of prac-tice for information security management [5]. It “gives recommendations for in-formation security management for use by those who are responsible for initiating,implementing or maintaining security in their organization”[6]. While an enter-prise may benefit from these best practices, an enterprise may not necessarily needa SIM product to be compliant to this ISO standard.

As the Open Security Exchange begins achieving its goal of developing defacto interoperability standards to foster integration of the various elements of anenterprise’s security and security management infrastructure, if such standards be-come commercially popular enterprises should consider establishing requirementsfor SIM products to adhere to such standards.

2.5. Usability

Usability is a critical requirement. If it takes longer to manage via a SIM prod-uct than via the individual element managers of the distinct resources, no benefit isgained. A difficult to use SIM solution can lead to human and operator failure whenmanaging the security aspects of the distinct resources within an enterprise. SIMsolutions with simple, intuitive user interfaces better meet enterprise requirementsfor lower SIM training costs and human resource needs.

2.6. Audit Support, Legal Compliance, and Control

Audit firms are becoming involved in security audits as part of the overall en-terprise review. In some areas, such as financial services and healthcare, audits arepart of the compliance process with governmental legislation. But most auditorshave not been trained to read through seemingly cryptic syslog information. Enter-prises looking for a SIM solution to help with the audit process have requirementsfor SIM products to be able to translate the security-relevant information gath-ered into terms and representations that a layperson and auditor can understand.Visualization, such as graphics and charts, are very useful as well.

For enterprises required to meet legal audit requirements, such as compliancewith Health Insurance Portability and Accountability Act (HIPAA) Privacy andSecurity [7], the Gramm-Leach-Bliley Act (GLBA) [8], and the European Uniondata directive [9], a SIM requirement is that a SIM solution must understand, andbe able to report on, the specific legal audit requirements of applicability to theenterprise.

Audit control and compliance proof are another area with SIM solution re-quirements. such as the ability to report on changes since last audit and show proofof compliance. Enterprises with installed audit and policy control products, such

P1: GAD


142 Kelley

as the Microsoft Security Configuration Manager, will have requirements for aSIM solution that complements such existing products.

3. TECHNICAL CONSIDERATIONS

The following is a basic set of technical considerations and requirements foran enterprise’s SIM solution.

3.1. Near-Real-Time Alerting vs. After-the-Fact Reporting

Enterprises need to determine requirements for the latency within which SIMdata and event reports need to be assembled and displayed. Do they need attentionwith some specifiable low level of latency soon after they are received by the SIMsystem/console? Or, can SIM data such as log files and other relevant event databe gathered in batch at a prescribed time of day and batch analyzed in toto. Whilethere are many tangible benefits to using real-time SIM, there are some reasons forusing timed data gathering and analysis. Because SIM systems gather and manageenormous volumes of data, enterprises may prefer transmitting SIM-relevant dataduring a time when enterprise resources are not busy. Such requirements may bemore appropriate for enterprises that do not need to see security-related events asthey happen but instead intend to use SIM data primarily for forensic purposes.

3.2. Proactivity and Automated Response

Enterprises need to determine requirements on how proactive they want theirSIM solution to be. Do they want automated SIM system responses that can takeactions without intervention from a human administrator? What types of responsesshould be automated? Responses can range from the very simple, closing downa port on a firewall, to the more complex, identifying a rootkit installation anddeleting it. While the speed of automated response can be appealing, it can also be adouble-edged sword. A system that is entirely automated is at risk for being turnedon itself by a sophisticated attacker. Enterprises often require a hybrid solutionwherein a SIM product can perform certain tasks automatically and queue othersfor approval. A useful requirement is that a SIM solution support configurableresponse options.

3.3. Architecture and Scalability

Due to the massive amounts of information being processed by a SIM solution,a pure database approach within the SIM system does not scale well. The databaseis quickly filled with information and the engine is forced to look through more andmore data resulting in ever-increasing delays. SIM solution buyers should review

P1: GAD



a prospective SIM product’s architecture in depth, especially indexing and datamanagement, and ask for references from customers that have networks, devicesand traffic that are equivalent to their own to ensure that the prospective SIMproduct can handle the data load.

Reliability and up-time requirements such as Mean Time Between Failureand Mean Time To Repair need to be established. If the SIM solution has to befunctional and reliable 24/7 then fault tolerance and redundancy are critical. Securestorage of the aggregate SIM data in geographically distributed areas may also be arequirement.

3.4. Configurability

Buyers that have custom requirements must rely on the ability to implementa highly customizable and configurable SIM solution. Enterprises with seeminglystandard requirements could be surprised upon installing a SIM solution and look-ing at its limitations. While ability to be configurable is important, also essential ishow easily the SIM solution can be reconfigured as new needs arise. SIMs that canbe configured with Graphical User Interfaces and rule sets are easier to supportthan those that require custom code changes.

3.5. Depth of Analysis-Intelligence

Enterprises can require any of a variety of techniques to analyze SIM data,including rules-based analysis, anomaly detection, and statistical correlation. SomeSIM products come with a set of pre-configured rules which serve as a good startingpoint. However, such initial rules need to be revisable. The flexibility to add newrules or tweak existing ones to ensure proper compliance for the environment theyare protecting are typical requirements. Anomaly detection may be required inorder to learn what is expected and to alert on unexpected, anomalous, behavior.Statistical correlation may be required with anomaly detection to categorize eventsand to report on behavior patterns by generating a baseline of expected use.

All of these analysis techniques are useful and catch different types of poten-tial threats. Enterprises that require layers of protection should establish require-ments for a blended solution that mixes the different analysis techniques.

4. CONCLUSIONS

Enterprises will succeed with SIM by understanding SIM requirements andmatching a SIM solution to them. By a clear understanding of the business problemsthat need to be solved and the technical considerations that must be met, enterprisescan use such requirements to help select a SIM product that will observe security-related events associated with any and all of their IT, network and security resources

P1: GAD


144 Kelley

and will report on them in a clear, concise manner that reduces administration timeand risk while increasing compliance with stipulated constraints.

REFERENCES

1. Ian A. Finlay, A brief tour of the Simple Network Management Protocol, CERT CoordinationCenter,http://www.cert.org/archive/pdf/snmp.pdf

2. Greg Shipley, Security information management tools, Network Computing,http://www.networkcomputing.com/1307/1307f2.html, April 1, 2002.

3. Timothy J. Shimeall, Casey J. Dunlevy, and Phil Williams, Intelligence analysis for internet security:Ideas, barriers and possibilities, CERT Analysis Center,http://www.cert.org/archive/html/spie.html

4. Common Vulnerabilities and Exposures (CVE) Site,http://cve.mitre.org5. http://www.iso.ch/iso/en/ISOOnline.frontpage6. http://www.iso.ch/iso/en/prods-services/popstds/informationsecurity.html7. Office of the Secretary, Department of Health and Human Services, Health Insurance Reform: Se-

curity Standards; Final Rule, Federal Register,http://edocket.access.gpo.gov/2003/pdf/03-3877.pdf,February 20, 2003.

8. Federal Trade Commission, How to comply with the privacy of consumer financial information ruleof the Gramm-Leach-Bliley Act, A Guide for Small Business from the Federal Trade Commission,http://www.ftc.gov/bcp/conline/pubs/buspubs/glblong.htm

9. Helen Delaney and Rene van de Zande, Co-Editors, A Guide to EU Standards andConformity Assessment, NIST Special Publication 951,http://ts.nist.gov/ts/htdocs/210/gsig/eu-guides/sp951/sp951.htm

Diana Kelley received her BA from Boston College and has spent over 12 years working asa networking and security professional. She worked as a Manager in the Financial Services groupof KPMG consulting and as a General Manager for Symantec, Corp. In 2003 she founded SecurityCurve, an independent provider of strategy, consulting, and education for the security industry. She isa frequent speaker at industry conferences and currently supports Computer Associates as a SecurityStrategist for their eTrust Brand.

Documents

Report: Security Management Convergence via SIM (Security Information Management)—A Requirements Perspective