Choosing a security management solution

The security event management market is in its infancy. But it already appears to be crowded, with everyone from enterprise management vendors to intrusion-detection companies to pure security event management firms entering the fray.

Choosing the right tool depends much on an organization's business and computing requirements. And an organization with an enterprise management platform such as IBM Corp.'s Tivoli Management Environment or Micromuse Inc.'s Netcool suite of management software may opt to use the same company's management software.

IBM Tivoli Risk Manager and Netcool for security management consolidate security alerts from multiple security devices into one console. Micromuse's software is designed to pull data from more than 300 devices, including network management systems.

However, "not everyone can afford large management systems," said Mary Ellen Condon, a former director of security at the Justice Department and now director of information assurance at SRA International Inc., a provider of security consulting services to the federal government.

To that end, organizations may want to consider an emerging class of event management software that aggregates, correlates and analyzes volumes of data generated by a range of security and network devices.

ArcSight this year introduced ArcSight 1.0, which consists of a data collection and storage system that consolidates network alarms and alerts, analysis tools to detect threats and a display-and-report function to manage results. CyberWolf Technologies Inc., recently acquired by Symantec Corp., offers a tool that applies root cause analysis technology to track, store and match patterns of events or alerts that may appear innocuous, but when put together represent a pattern of attack occurring over time from multiple sources.

Originally funded by the Defense Advanced Research Projects Agency, CyberWolf has expanded its reach in the government market by adding customers such as the Federal Emergency Management Agency.

Managed security services companies and consulting firms that provide security services to federal clients are increasingly relying on event managers from e-Security Inc. and GuardedNet. When e-Security's Open e-Security Platform debuted two years ago, the system provided a simple central view of event data. In the past year, however, the e-Security Platform has evolved into a real-time correlation engine.

E-Security also has teamed with Hewlett-Packard Co. to integrate its security event manager with the HP Openview management platform to give administrators a holistic view of their information technology infrastructure.

GuardedNet's nueSecure software provides centralized logging of information and cross-device correlation of events for detailed analysis. Visualization tools provide global mapping of attack sources. The system also provides automated countermeasures, such as blocking an attack through interfaces with firewalls and routers.

Other products, such as intrusion-detection systems from companies such as SilentRunner Inc. and Lancope Inc., are also useful for event management because of their analysis functions and their ability to discover devices on the network, experts said.

But the real value of pure security event management products is event correlation. "Event managers are important because they pool data, making it easier to do log analysis," said Thomas Gluzinski, president and chief executive officer of Paladin Technologies Inc., a provider of security services to the federal government.