Subscribe
About

Managing your network`s security

By Eric Jorgensen
Johannesburg, 15 Nov 2004

Network and data security is evolving. With the proliferation of distributed environments, and the necessity of organisations to open up their internal network to the Internet, companies are faced with a daunting task - providing simple, efficient access to some information while keeping other information away from both legitimate users and determined hackers.

In addition to this, there are a myriad of other security issues to deal with - physical security, internal threats, privacy concerns, content security and evolving legal requirements, among others - all of which, if not handled properly, can put the company at risk, both legally and financially. It is no wonder that the sale of security products remains strong, and that more and more of the typical IT budget is being devoted to security.

As security requirements grow, companies are faced with the need to be more proactive in dealing with security issues. No longer can a company implement a firewall, rely on operating system authentication and expect that to be sufficient. Not only are the threats more frequent and severe, but also the costs of potential attacks are growing. As companies are being forced to open themselves up more in order to remain competitive, they are potentially exposing information that could damage their ability to remain competitive. It is this double-edged sword that makes security management so critical to organisations.

Coupled to this, customers who use the services of companies that have been attacked suddenly see themselves as being at risk. Not reporting potential security risks is no longer an acceptable option. Customers, both large and small, want to see reports on the security health of their vendors, and see security as one item on the list of requirements for doing business.

So what can an organisation do to secure itself and still provide the online services that its customers, vendors and employees need?

The answer is to move from a reactive security model to a proactive one. Setting up your security perimeter and hoping for the best is not acceptable anymore. Companies need to actively monitor their security infrastructure, in real-time and all the time. In the same way that a company has real-time monitoring tools to watch their network, systems and applications, they also need to active monitoring for their security infrastructure.

A large variety of security point products exist to solve the different problems in building and maintaining a secure environment. Firewall, intrusion detection systems (IDS), content security, authentication/authorisation, encryption - there are robust products on the market now to fit just about every security need. However, the problem with these products is that they each have their own tools, their own way of collecting information, and their own way of alerting on potential security breaches. And because of the plethora of data that is collected by each individual product, it becomes virtually impossible to keep track of them all individually, and in real-time.

As the size and complexity of security environments grows, it becomes harder and harder to keep track of all the information. More often than not, security breaches are discovered after the fact, and it is only then that the logged data is analysed to find out what happened.

This daunting problem has spawned a new type of security tool - the Security Manager of Managers (SMoM). The SMoM`s job is to collect all the security data from all the tools that are implemented and provide a single point view across all security issues. It provides access to all the necessary tools, intelligently organises the information, and will alert security professionals to potential attacks before they become damaging.

Pros and cons

* Consolidation of all real-time event data into single view.

* Allows correlation with network management events.

* Huge security event volumes become manageable allowing even denial-of-service to be handled.

* Collation of log file information provides a long-term historical archive for trend and long-term threat analysis and forensics.

* Allows integration with knowledge bases, asset bases and remediation strategy.

* Security information/event management tools do not have the detailed integration for active configuration management of disparate devices.

* The tools are only as good as the quality of data they receive.

* Vendors` specific element managers do not seamlessly integrate.

In reality, the SMoM should be based on the raw consolidation and correlation power of the established event management vendors but this alone does not deliver a security tool at all. It needs to be able to keep up with the huge amount of information that security products can generate, have tools that can correlate disparate events to pinpoint a single breach, provide operators with a real-time event management interface, and collect and present the historical information for legal review, trend analysis and forensic analysis. The SMoM also needs to have the flexibility to take in highly granular security information, embed security specific correlation and notification logic into the system and then call to action engineers or automate remediation policies.

Some potential pitfalls exist with all security management solutions and SMoM is no different. Interruptions to the flow of data can leave the system running blind and the architecture must be able to respond to component failure with fault tolerance and data buffering to ensure no data is lost. SMoMs are also by their nature reactive to events occurring around them, some solutions are starting to address potential proactive approaches which in time will allow sophisticated correlation to optimise the processing of event flows.

The idea of the SMoM - like all good ideas - is not new. The world`s largest telecommunications companies, such as BT, AT&T, Deutsche Telekom and others rely on a manager of manager technology to alert operators to potential service-affecting problems in their infrastructure. The MoM software enables the telecoms company to invest in the best technology without training an army of operators to monitor each type of equipment. Similarly, the Security Manager of Manager - when based on the same robust, ultra-scalable technology - can help large companies to get the best out of today`s leading security technology, while consolidating the various security systems to present a complete, end-to-end view of the security infrastructure.

Share

Editorial contacts

Lara Nel
Initiative Communications
(082) 496 9696
lara@initiativeworx.co.za