impossible for ideas to compete in the marketplace if no forum for
Enterprise Security Management
Information Security is a key component of modern planning and management, given the integral role of information technology (IT) in todayâ€™s enterprises. The entrenchment of security is also driven by the increasing growth of electronic transactions. Fueled by the Internet, electronic commerce proliferates with the growth of networks. As enterprise boundaries are blurred, enterprise level security becomes more challenging.
The security market, on the other hand, continues to grow as product vendors strive to keep pace with each new information security problem. Many vendors focus on providing point-solution technologies for known security problems. For example, there are firewalls to control access to internal company networks; there are intrusion detection systems (IDS) to monitor possible intrusions; there are sniffers to analyze data packets transmitted in and out of networks; there is anti-virus software to mitigate the risks of virus attacks; and there are scanners that enable the scanning and mapping of networks and their vulnerabilities. As well, operating systems can be configured to log and transmit security-sensitive events.
In a typical enterprise, different vendors supply these point-solution products, which may run on different operating systems, as well as different versions of operating systems. In large enterprises, various pieces of hardware, operating systems, and software result in a complex environment.
Each product functions as it was designed to perform; however, collectively, the products are not usually compatible and may not be able to "talk to each other." This presents a major challenge for enterprise security planners and architects. This challenge of Enterprise Security Management (ESM) is two-fold: (a) how to create an enterprise-wide ESM solution that incorporates specific point-solution products, and (b) how to manage information from these products efficiently to enhance enterprise security.
In their own niches, point-solution products address specific security needs. A comprehensive ESM solution must determine the best way to architect and configure these products to ensure that they complement each other and enhance the security solution. An effective solution must use an enterprise-wide view to integrate these point-solution products in the most efficient manner.
The second major challenge for enterprise security planners and architects is how to manage the ever-increasing security information generated by these diverse products and technologies. This information, which is received in different formats, must be captured, analyzed, and filtered into a form that can be used for decision-making.
A product that can take messages from different formats, then filter and analyze these messages, is valuable because such a product makes it easier to make decisions based on the message data.
Given the diverse nature of the security products, the amount of information generated enterprise-wide can be overwhelming. Coping with capturing, filtering, and using the resultant information for decisions remains a challenge to many organizations.
In a nutshell, organizations continue to grapple with not only the complexity of the enterprise environment, but also the management of information from diverse technologies that may be located in multiple locations and different enterprise organizational units.
What is Enterprise Security Management?
Enterprise Security Management (ESM) involves monitoring, assessing, and responding to threats identified by various Best of Breed systems. To be effective, an ESM solution must address both internal and external attacks since more than 70 percent of attacks come from within organizations (Ernst & Young LLP Survey of 1997). Further, a properly designed ESM solution accounts for all elements of security, including the technologies employed, the manpower devoted, and the existing security processes and procedures.
ESM involves developing the requisite architecture (the technologies and products, and their interconnection and configuration); manipulating security information (information capturing, filtering, and classifying); and designing and applying relevant rules to security information management. ESM includes a set of processes and procedures pertaining to the design, implementation, and continuing enforcement of security solutions for an enterprise.
ESM also involves the administration of information produced by diverse technologies, distributed across multiple locations and organizational units in an enterprise. It pertains to the capture, manipulation, and analysis of this information to make it useful for business decisions. An appropriate ESM solution tailors security event responses to the business function affected.
There are two key elements to consider with respect to ESM architecture: namely, (a) the right network architecture, i.e., having the right technologies in the right "place", and (b) a solution that allows information from these diverse technologies to be captured, filtered, classified, correlated, and (possibly) stored in as efficient a manner as possible to support business decisions.
A model network architecture solution allows you to specify the different network segments, e.g., internal network, demilitarized zone (DMZ), and the Internet. This can involve allotting network segments for each department or organizational unit and should specify the hosts, their functions, and their locations within these segments.
Specific security policies, procedures, and standards are defined for the network and network hosts. Further, the security technologies used to protect the network are specified, along with security management and day-to-day administration policies.
ESM Solution Architecture
As previously stated, typical enterprise network environments can generate millions of events, some of which may be security-sensitive.
An appropriate ESM architecture must ensure that (a) the right information is captured, filtered, and classified, and (b) it is transmitted in a way that minimizes traffic congestion in the network.
Enterprise Security Management
A superior ESM solution processes as much of the captured information, at the point of capture, as possible. This will ensure that only necessary information is transmitted. This information is required for the correlation and pertains to a "higher plane" beyond the "locality" in which it is generated.
An ESM implementation must be flexible enough to allow device connectors (lightweight programs used to forward normalized messages) to be deployed at strategic points on the enterprise network. The solution should be flexible enough to ensure the efficient capture of information, filtration, and transmission. Device connectors must be deployed in a manner that minimizes network congestion.
An ESM solution should also allow peer-to-peer device connector communication, and accommodate clustering and different kinds of hierarchical and master-slave configurations.
ESM Security Information Management
While millions of events can be generated in an enterprise network, only subsets of these events are pertinent for security. In a given ESM solution, a system can be configured to allow security-sensitive events to be handled in any desirable manner that enhances security. Events can be added to the system audit logs, used to generate alarms, or used to create other responses determined by the security solution.
Typically, the number of events logged or alarms raised can be enormous. In most cases, it leads to a deluge of information. Such information must be sanitized and analyzed to ensure that its security implications are understood and that appropriate measures are implemented to mitigate any potential risks.
To address this problem, organizations devote substantial amounts of resources, usually human beings, to manage this deluge of information. In the words of Tim Bass (2):
Network [security information] management is an expensive infrastructure to operate.
Systems often fail to provide network engineers [with] tangible and useful information.
Operators [security administrators] are typically overwhelmed [by] system messages and other low-level data.
Human beings not only come at a premium cost, but they also are poor at sifting through the tons of tedium (e.g. system logs, color-coded alarms, etc.) to filter out the security-sensitive information required to make informed business decisions.
Enterprise Security Management
Often, logs will go unviewed and logged events remain unattended for long periods of time. Moreover, the tediousness of the tasks involved means that using human beings for this type of work can lead to substantial errors.
One challenge facing ESM is how to provide the ability to filter out low-level data, thereby leaving human beings to attend to information that is of greater value. For this to occur, the collection and analysis of information and the appropriate responses to that information must be automated. ESM automation can benefit enterprises with several thousands of hosts generating millions of events on a continuous basis.
ESM involves the administration of information produced by diverse technologies, distributed across multiple locations and organizational units in an enterprise.
A key element of ESM is the correlation of events from different sources that are used to make informed decisions (e.g., firewalls and IDSs). This improves the quality of decisions because the information available is far more insightful, therefore enhancing the level of security.
A high-quality ESM solution should be designed to systematically monitor, capture, categorize, and correlate information, and then use it to take corrective action. ESM solutions must take this systematic approach to maintain enterprise security. A less rigorous approach will result in an inconsistent, incomplete, and ineffective enterprise security solution.
Desirable Properties of ESM Solutions
This section outlines a number of properties that Intellitactics considers essential for an effective ESM solution. The solution must account for the type of business, its security policy, and how the information captured relates to and affects the business. In this section, we attempt to crystallize common elements of an enterprise solution that would make it consistent, complete, and effective.
An effective ESM solution has a holistic approach to enterprise security. Its design must incorporate the enterprise view, including the nature of the business, the security information captured, and its relationship to the organizationâ€™s business, as reflected in the organizationâ€™s security policy, to ensure the solution is relevant and serves the enterpriseâ€™s security needs.
Typically, point-solution products generate events based on the security policy that they implement. For instance, when an IDS recognizes a known pattern, it will generate an event. The limitation of using point-solution products is that they cannot providecontent around "flagged" information and events.
ESM Solution Properties
An effective ESM solution gives content to the captured information by taking into account an organizationâ€™s security policy. To accomplish this, an ESM solution must categorize information, determine how it should be applied, and assess the severity of the security risk. For example, if a mission-critical system faces a Denial of Service (DOS) attack, it must be able to generate a response commensurate to the perceived level of risk. This means that if the DOS is targeted at a honey pot system, the ESM solutionâ€™s response should reflect the low security risk.
For an ESM solution to be holistic, it must refine and integrate the security policies implemented by the different point-solution products to reflect the organizationâ€™s security policies.
Event correlation is the association of two or more events that may not appear related. Information aggregation can lead to better event screening, classification, categorization and prioritization. This process improves understanding and leads to more appropriate responses. Most network administrators view event correlation as indispensable to their operations. A good ESM solution must be able to collect information from diverse sources, perform event correlation, and use the results to respond to incidents.
Event correlation determines points of failure, identifies problems, isolates the cause, prioritizes required actions, and relates pieces of information. This results in better-informed and more relevant responses.
Centralized management requires capturing information from remote sources, transmitting it to the central location, analyzing it according to the organizationâ€™s security policies, and generating an appropriate response.
A successful ESM solution incorporates some degree of centralized management, allowing security to be managed from a central location. Centralized management enables remote communication between the control point and remote devices (e.g., helpdesks, firewalls, IDSs, and custom applications).
Enterprise networks change over time. For example, a network may grow because of a merger or acquisition.
When selecting an ESM solution, the scalability of the solution must be considered. You should ask how a solution would scale as the needs of the enterprise network grow.
If the number of nodes doubles, would the solution deliver?
ESM solutions are usually required for large environments.
Scalability should be built-in to the design of the ESM solution, not added as an afterthought.
Many ESM solutions are sold as products that communicate with and manage point-solution technologies, such as IDSs and firewalls. A good solution should have an open architecture that allows it to grow with the products that it talks to. This means that more enterprise security technologies and products can be incorporated. Clearly, an ESM solution that communicates with five firewall products is better than one that communicates with two firewalls.
Extensibility is a property that customers will demand. An enterprise may use certain products today; however, this may change tomorrow. For example, an acquisition may require a new environment be integrated with an existing environment.
Extensibility should be a high requirement, in part, because the point-solution market is growing. The use of standardized communication interfaces is a main advantage of any ESM solution. Currently, it seems that XML will become the standard for this type of communication.
The last thing a customer wants is to be stuck with an ESM solution that relies on a specific platform. Platform independence should be a key factor in the selection of a specific solution. This helps to control the cost of deployment because an organization does not have to tailor its existing environment to the requirements of an ESM solution.
An Effective ESM Includes:
If an organization chooses an ESM solution that is based on a specific product, other factors should be considered, such as the ease of installation, configuration, and administration. The customization required for the product and the level of technical support from the vendor should also be considered; a product that requires extensive customer support and maintenance may not be cost-effective in the long term.
Buyers should balance price, customer support, ease of installation, and maintenance. A long-range view of all costs should be taken into account to determine the best return on investment.
Enterprise Security Management (ESM) is a challenging task, mainly because of the complexity associated with capturing, classifying, analyzing, and correlating different types of information from diverse sources. Organizations must not only be aware of threats, but they should also understand the risks, scope and nature of the security situation so that the appropriate response becomes apparent and the security team can prevail in the relentless battle for enterprise security.
1. Linda McCarthy, Intranet Security: Stories from the Trenches (Sun Microsystems Press).
2. Tim Bass, Intrusion Detection Systems and Multi-sensor Data Fusion in Communications of the ACM (April 2000)
Intellitactics provides a comprehensive solution for enterprise security management. Founded in 1996, its industry-leading Network Security Manager™ (NSM™) is the holistic, integrated threat management platform that enables security executives to police, prioritize and prevail across the full range of today's information security threats. NSM is the enterprise security management software of choice for many of the world's leading Global 1000 companies, government organizations and Managed Security Service Providers (MSSPs) who seek to provide their organizations with comprehensive information security, leveraging the complete range of security information available from security devices and other information sources.
Visit the Authors Web Site
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business