The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896


Enterprise Security Management

Contributed by Intellitactics, Inc.

Far too many companies equate computer security with the firewall...  [they] focus all energy on selecting the right firewall and make sure that one connection is secure.

Linda McCarthy, Sun Microsystems Press (1)

 

Introduction

Information Security is a key component of modern planning and management, given the integral role of information technology (IT) in today’s enterprises. The entrenchment of security is also driven by the increasing growth of electronic transactions. Fueled by the Internet, electronic commerce proliferates with the growth of networks. As enterprise boundaries are blurred, enterprise level security becomes more challenging.

The security market, on the other hand, continues to grow as product vendors strive to keep pace with each new information security problem. Many vendors focus on providing point-solution technologies for known security problems. For example, there are firewalls to control access to internal company networks; there are intrusion detection systems (IDS) to monitor possible intrusions; there are sniffers to analyze data packets transmitted in and out of networks; there is anti-virus software to mitigate the risks of virus attacks; and there are scanners that enable the scanning and mapping of networks and their vulnerabilities. As well, operating systems can be configured to log and transmit security-sensitive events.

In a typical enterprise, different vendors supply these point-solution products, which may run on different operating systems, as well as different versions of operating systems. In large enterprises, various pieces of hardware, operating systems, and software result in a complex environment.

Each product functions as it was designed to perform; however, collectively, the products are not usually compatible and may not be able to "talk to each other." This presents a major challenge for enterprise security planners and architects. This challenge of Enterprise Security Management (ESM) is two-fold: (a) how to create an enterprise-wide ESM solution that incorporates specific point-solution products, and (b) how to manage information from these products efficiently to enhance enterprise security.

In their own niches, point-solution products address specific security needs. A comprehensive ESM solution must determine the best way to architect and configure these products to ensure that they complement each other and enhance the security solution. An effective solution must use an enterprise-wide view to integrate these point-solution products in the most efficient manner.

The second major challenge for enterprise security planners and architects is how to manage the ever-increasing security information generated by these diverse products and technologies. This information, which is received in different formats, must be captured, analyzed, and filtered into a form that can be used for decision-making.

A product that can take messages from different formats, then filter and analyze these messages, is valuable because such a product makes it easier to make decisions based on the message data.

Given the diverse nature of the security products, the amount of information generated enterprise-wide can be overwhelming. Coping with capturing, filtering, and using the resultant information for decisions remains a challenge to many organizations. 

In a nutshell, organizations continue to grapple with not only the complexity of the enterprise environment, but also the management of information from diverse technologies that may be located in multiple locations and different enterprise organizational units. 

What is Enterprise Security Management?

Enterprise Security Management (ESM) involves monitoring, assessing, and responding to threats identified by various Best of Breed systems. To be effective, an ESM solution must address both internal and external attacks since more than 70 percent of attacks come from within organizations (Ernst & Young LLP Survey of 1997). Further, a properly designed ESM solution accounts for all elements of security, including the technologies employed, the manpower devoted, and the existing security processes and procedures.

ESM involves developing the requisite architecture (the technologies and products, and their interconnection and configuration); manipulating security information (information capturing, filtering, and classifying); and designing and applying relevant rules to security information management. ESM includes a set of processes and procedures pertaining to the design, implementation, and continuing enforcement of security solutions for an enterprise.

ESM also involves the administration of information produced by diverse technologies, distributed across multiple locations and organizational units in an enterprise. It pertains to the capture, manipulation, and analysis of this information to make it useful for business decisions. An appropriate ESM solution tailors security event responses to the business function affected.

ESM Architecture

There are two key elements to consider with respect to ESM architecture: namely, (a) the right network architecture, i.e., having the right technologies in the right "place", and (b) a solution that allows information from these diverse technologies to be captured, filtered, classified, correlated, and (possibly) stored in as efficient a manner as possible to support business decisions.

Network Architecture

  • The need to select appropriate security technologies (e.g., firewalls and IDS) cannot be over emphasized.

  • Each technology meets a specific enterprise security requirement. It is equally important to ensure there is a network architecture that is consistent with a desired security solution.

  • Faulty network architecture is unlikely to achieve the desired security, even if it has all the right elements.

  • Properly designed network architecture ensures that each security technology is deployed appropriately in the network. Moreover, each of the technologies must be configured according to the security specifications.

  • The security technology should also be able to collect and transmit the security information required for security management.

A model network architecture solution allows you to specify the different network segments, e.g., internal network, demilitarized zone (DMZ), and the Internet. This can involve allotting network segments for each department or organizational unit and should specify the hosts, their functions, and their locations within these segments.

Specific security policies, procedures, and standards are defined for the network and network hosts. Further, the security technologies used to protect the network are specified, along with security management and day-to-day administration policies.

ESM Solution Architecture

As previously stated, typical enterprise network environments can generate millions of events, some of which may be security-sensitive.

An appropriate ESM architecture must ensure that (a) the right information is captured, filtered, and classified, and (b) it is transmitted in a way that minimizes traffic congestion in the network.

Enterprise Security Management

  • Reduces management complexity

  • Reduces the risk of undetected intrusion

  • Reduces the risk of human error

  • Maximizes your security investment

  • Maximizes security scalability

A superior ESM solution processes as much of the captured information, at the point of capture, as possible. This will ensure that only necessary information is transmitted. This information is required for the correlation and pertains to a "higher plane" beyond the "locality" in which it is generated.

An ESM implementation must be flexible enough to allow device connectors (lightweight programs used to forward normalized messages) to be deployed at strategic points on the enterprise network. The solution should be flexible enough to ensure the efficient capture of information, filtration, and transmission. Device connectors must be deployed in a manner that minimizes network congestion.

An ESM solution should also allow peer-to-peer device connector communication, and accommodate clustering and different kinds of hierarchical and master-slave configurations.

ESM Security Information Management

While millions of events can be generated in an enterprise network, only subsets of these events are pertinent for security. In a given ESM solution, a system can be configured to allow security-sensitive events to be handled in any desirable manner that enhances security. Events can be added to the system audit logs, used to generate alarms, or used to create other responses determined by the security solution.

Typically, the number of events logged or alarms raised can be enormous. In most cases, it leads to a deluge of information. Such information must be sanitized and analyzed to ensure that its security implications are understood and that appropriate measures are implemented to mitigate any potential risks.

To address this problem, organizations devote substantial amounts of resources, usually human beings, to manage this deluge of information. In the words of Tim Bass (2):

Network [security information] management is an expensive infrastructure to operate.

Systems often fail to provide network engineers [with] tangible and useful information.

Operators [security administrators] are typically overwhelmed [by] system messages and other low-level data.

Human beings not only come at a premium cost, but they also are poor at sifting through the tons of tedium (e.g. system logs, color-coded alarms, etc.) to filter out the security-sensitive information required to make informed business decisions.

Enterprise Security Management

  • Sniffers to analyze data packets transmitted in and out of networks.

  • Anti-virus software to mitigate the risks of virus attacks.

  • Scanners to enable the scanning and mapping of networks and associated vulnerabilities.

Often, logs will go unviewed and logged events remain unattended for long periods of time. Moreover, the tediousness of the tasks involved means that using human beings for this type of work can lead to substantial errors.

One challenge facing ESM is how to provide the ability to filter out low-level data, thereby leaving human beings to attend to information that is of greater value. For this to occur, the collection and analysis of information and the appropriate responses to that information must be automated. ESM automation can benefit enterprises with several thousands of hosts generating millions of events on a continuous basis.

ESM involves the administration of information produced by diverse technologies, distributed across multiple locations and organizational units in an enterprise.

A key element of ESM is the correlation of events from different sources that are used to make informed decisions (e.g., firewalls and IDSs). This improves the quality of decisions because the information available is far more insightful, therefore enhancing the level of security.

A high-quality ESM solution should be designed to systematically monitor, capture, categorize, and correlate information, and then use it to take corrective action. ESM solutions must take this systematic approach to maintain enterprise security. A less rigorous approach will result in an inconsistent, incomplete, and ineffective enterprise security solution.

Desirable Properties of ESM Solutions

This section outlines a number of properties that Intellitactics considers essential for an effective ESM solution. The solution must account for the type of business, its security policy, and how the information captured relates to and affects the business. In this section, we attempt to crystallize common elements of an enterprise solution that would make it consistent, complete, and effective.

Holistic Approach

An effective ESM solution has a holistic approach to enterprise security. Its design must incorporate the enterprise view, including the nature of the business, the security information captured, and its relationship to the organization’s business, as reflected in the organization’s security policy, to ensure the solution is relevant and serves the enterprise’s security needs.

Typically, point-solution products generate events based on the security policy that they implement. For instance, when an IDS recognizes a known pattern, it will generate an event. The limitation of using point-solution products is that they cannot providecontent around "flagged" information and events.

ESM Solution Properties

  • Holistic Approach

  • Event Correlation

  • Centralized Management

  • Scalability

  • Extensibility

  • Portablity

An effective ESM solution gives content to the captured information by taking into account an organization’s security policy. To accomplish this, an ESM solution must categorize information, determine how it should be applied, and assess the severity of the security risk. For example, if a mission-critical system faces a Denial of Service (DOS) attack, it must be able to generate a response commensurate to the perceived level of risk. This means that if the DOS is targeted at a honey pot system, the ESM solution’s response should reflect the low security risk.

For an ESM solution to be holistic, it must refine and integrate the security policies implemented by the different point-solution products to reflect the organization’s security policies.

Event Correlation

Event correlation is the association of two or more events that may not appear related. Information aggregation can lead to better event screening, classification, categorization and prioritization. This process improves understanding and leads to more appropriate responses. Most network administrators view event correlation as indispensable to their operations. A good ESM solution must be able to collect information from diverse sources, perform event correlation, and use the results to respond to incidents.

Event correlation determines points of failure, identifies problems, isolates the cause, prioritizes required actions, and relates pieces of information. This results in better-informed and more relevant responses.

Centralized Management

Centralized management requires capturing information from remote sources, transmitting it to the central location, analyzing it according to the organization’s security policies, and generating an appropriate response.

A successful ESM solution incorporates some degree of centralized management, allowing security to be managed from a central location. Centralized management enables remote communication between the control point and remote devices (e.g., helpdesks, firewalls, IDSs, and custom applications).

Scalability

Enterprise networks change over time. For example, a network may grow because of a merger or acquisition. 

When selecting an ESM solution, the scalability of the solution must be considered. You should ask how a solution would scale as the needs of the enterprise network grow.

If the number of nodes doubles, would the solution deliver?

ESM solutions are usually required for large environments.

Scalability should be built-in to the design of the ESM solution, not added as an afterthought.

Extensibility

Many ESM solutions are sold as products that communicate with and manage point-solution technologies, such as IDSs and firewalls. A good solution should have an open architecture that allows it to grow with the products that it talks to. This means that more enterprise security technologies and products can be incorporated. Clearly, an ESM solution that communicates with five firewall products is better than one that communicates with two firewalls.

Extensibility is a property that customers will demand. An enterprise may use certain products today; however, this may change tomorrow. For example, an acquisition may require a new environment be integrated with an existing environment.

Extensibility should be a high requirement, in part, because the point-solution market is growing. The use of standardized communication interfaces is a main advantage of any ESM solution. Currently, it seems that XML will become the standard for this type of communication.

Portability

The last thing a customer wants is to be stuck with an ESM solution that relies on a specific platform. Platform independence should be a key factor in the selection of a specific solution. This helps to control the cost of deployment because an organization does not have to tailor its existing environment to the requirements of an ESM solution.

An Effective ESM Includes:

  • Manageable tools and applications that present information in a manner that helps users understand security situations and helps them respond to those situations.

  • Built-in scalability that allows products and tools to handle large numbers of hosts.

  • An extensible framework that allows new security products to be added.

  • Correlation of information from diverse sources.

  • Platform independence.

Other

If an organization chooses an ESM solution that is based on a specific product, other factors should be considered, such as the ease of installation, configuration, and administration. The customization required for the product and the level of technical support from the vendor should also be considered; a product that requires extensive customer support and maintenance may not be cost-effective in the long term.

Buyers should balance price, customer support, ease of installation, and maintenance. A long-range view of all costs should be taken into account to determine the best return on investment.

Conclusion

Enterprise Security Management (ESM) is a challenging task, mainly because of the complexity associated with capturing, classifying, analyzing, and correlating different types of information from diverse sources. Organizations must not only be aware of threats, but they should also understand the risks, scope and nature of the security situation so that the appropriate response becomes apparent and the security team can prevail in the relentless battle for enterprise security.

References

1. Linda McCarthy, Intranet Security: Stories from the Trenches (Sun Microsystems Press).

2. Tim Bass, Intrusion Detection Systems and Multi-sensor Data Fusion in Communications of the ACM (April 2000)


About Intellitactics

Intellitactics provides a comprehensive solution for enterprise security management. Founded in 1996, its industry-leading Network Security Manager™ (NSM™) is the holistic, integrated threat management platform that enables security executives to police, prioritize and prevail across the full range of today's information security threats. NSM is the enterprise security management software of choice for many of the world's leading Global 1000 companies, government organizations and Managed Security Service Providers (MSSPs) who seek to provide their organizations with comprehensive information security, leveraging the complete range of security information available from security devices and other information sources.


Visit the Authors Web Site

Website URL:

 http://www.intellitactics.com

Your Name:
Company Name:
E-mail:

Inquiry Only - No Cost Or Obligation


3D Animation : red star  Click Here for The Business Forum Library of White Papers   3D Animation : red star
 


Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.


Disclaimer

The Business Forum, its Officers, partners, and all other
parties with which it deals, or is associated with, accept
absolutely no responsibility whatsoever, nor any liability,
for what is published on this web site.    Please refer to:

legal description


Home    Calendar    The Business Forum Journal     Features    Concept    History
Library     Formats    Guest Testimonials    Client Testimonials    Experts    Search
News Wire
     Join    Why Sponsor     Tell-A-Friend     Contact The Business Forum


The Business Forum

Beverly Hills, California United States of America

Email:  [email protected]

Graphics by DawsonDesign

Webmaster:  bruceclay.com
 


© Copyright The Business Forum Institute 1982 - 2011  All rights reserved.