Security overload

The Federal Aviation Administration, like many organizations trying to secure large, complex networks, was in a quandary.

Information technology operators at the FAA were overwhelmed by the vast amount of data being generated by the many security devices strategically deployed to keep out the bad guys. With so much data flowing in from firewalls, intrusion-detection systems and other devices, IT security administrators worried that some threats and potential attacks might not be noticed.

"As we've started to deploy more intrusion-detection systems, firewalls and network mappers, the amount of information has increased," said Michael Brown, director of the FAA's Office of Information Systems Security.

Agency officials realized they needed to correlate the vast amount of information on security events into a single management console where it could be viewed and analyzed in real time.

They are not alone. Civilian and military agencies, as well as large companies, are grappling with security data overload.

Numerous tools can help agencies maintain a secure network, including authentication, content security, encryption, firewalls and intrusion-detection systems. But each product has its own way of collecting information and alerting administrators about potential security breaches.

"A challenge [for IT administrators] is getting a complete picture of the state of security in their domain," said Lawrence Hale, liaison director for the Federal Computer Incident Response Center (FedCIRC), which monitors security incidents for civilian agencies.

Single View

To solve this problem, the FAA and other federal agencies are turning to a new crop of products that collect and monitor data generated by security tools, often consolidating this information into a single management console.

Federal agencies are deploying an increasing number of commercial tools from companies such as ArcSight, CyberWolf Technologies Inc., e-Security Inc., GuardedNet and Micromuse Inc., to name a few. The FAA deploys an integrated set of security tools that include event management and intrusion detection. Officials would not name the vendor for security reasons.

However, for more advanced correlation and data reduction capabilities, the FAA turned to the academic community, funding researchers at the Massachusetts Institute of Technology to develop an event correlation system.

The FAA chose MIT because the agency didn't want a proprietary system and instead opted for one that was open and supported international standards, Brown said. Also, the FAA wanted to develop a system that could be shared with other federal agencies.

The FAA is integrating the system into its data warehousing framework, which uses neural technology to extract data. The system also passively scans the network for unusual activity and can detect if new network equipment, such as routers or servers, comes online.

Officials have already seen results from their tests of the system. Previously, IT operators reviewed event logs that were six to 10 hours old. The new system has reduced that lag time from hours to minutes, said Tom O'Keefe, deputy director of information systems security at the FAA.

Labor Department officials also have seen a reduction in the time it takes IT operators to access and analyze data by adopting event management systems, according to Laura Callahan, deputy chief information officer at Labor.

Callahan declined to identify the products the department uses for security reasons, but she said IT operators at the agency are familiar with products from SilentRunner Inc., a Raytheon company, and Network Intelligence Corp. "We are challenged in trying to sift through volumes of information to do trend analysis," she said.

Callahan also praised the tools' forensic capabilities, which enable IT operators to play back events for investigative purposes.

Besides deploying event management tools to battle the problem of data overload, the department is moving to a common security architecture. This means that each division within a line of business will adhere to the same standards and security technology, eliminating the need for multiple management consoles to monitor disparate products in each business unit.

Not a Panacea

There is a definite need for security event management tools in federal agencies, but "tools are not a panacea," said Thomas Gluzinski, president and chief executive officer of Paladin Technologies Inc., a provider of security services to the federal government.

Many of these tools are in their first generation, and some are complex and hard to use by someone lacking in-depth security knowledge. Others are easy to use but still require experts to analyze the data and take appropriate action, he said.

"And security event management products are computers, too," FedCIRC's Hale pointed out, so they are open to attacks or exploitation by hackers.

According to John Pescatore, a research director at Gartner Inc., a security event management system needs four key features:

n The tool must monitor events in real time and pull that information into a central location.

n It must filter data and present it in meaningful reports.

n It should have a discovery engine that can identify all the devices on a network. Most current products lack this feature.

n It must be able to control the security devices. For instance, the product must have the capability to change settings on a firewall in the event of an attack or work in conjunction with an intrusion-detection system to automatically block an attack.

The better products in the future will have some type of neural network capability that will enable them to identify and fix problems, Gluzinski said. Some intrusion-detection systems, such as Internet Security Systems Inc.'s RealSecure, can interact with firewalls from Checkpoint Systems Inc. to fix a rule set and solve a problem in the event of an attack.

However, if the intrusion-detection system is not configured properly and is not privy to internal business operations, it could introduce a new problem by making a fix. The same is true for security event management systems, Gluzinski said, which only emphasizes the need for skilled network engineers.

But as more network-based intrusion-detection systems move from merely issuing alarms to employing more highly advanced techniques — blocking attacks in the way that antivirus software stops the spread of computer viruses — there might not be a need for security event management systems, Gartner's Pescatore said.

There are two reasons for an organization to deploy security event management tools, according to Pescatore. Large organizations with several hundred firewalls spread across a global network would need to manage the output from those firewalls, and organizations deploying hundreds of network-based intrusion-detection sensors should deploy an event management system to reduce the false alarms generated by the sensors.

Unless an organization has made a huge investment in intrusion detection, Gartner researchers recommend holding off on purchasing such systems because more advanced tools will be released in about two years.

Others disagree. Intrusion detection "is where the pain is," but security event managers are also collecting data from firewalls and antivirus software, said Juanita Koilpillai, chairman and co-founder of CyberWolf Technologies, formerly Mountain Wave. The Federal Emergency Management Agency now uses the company's product, which automates analysis of data in real time. Symantec Corp. acquired the Falls Church, Va.-based company last month.

"It's more than an intrusion-detection issue," Callahan agreed. It's also an issue of tracking who's accessing intellectual capital and the applications and data associated with those assets. Intrusion-detection systems can "tell you that a person is coming through the door, but not all the rooms he's accessed." Security event management tools have the potential to help administrators sort through this information without manually analyzing each individual log file, she said.

Meanwhile, other efforts are under way to advance the field of event correlation. For instance, the CERT Coordination Center, located at Carnegie Mellon University, is conducting advance research on developing a common output language for various security systems, said FedCIRC's Hale.

And at the SANS Institute, a Bethesda, Md.-based training and education organization for IT security professionals, officials are working with several vendors to determine the market leaders. They will then decide what type of training is needed for security professionals to properly use the products, said Stephen Northcutt, director of training at the institute.

"I'm optimistic about the maturity of security event management solutions," Callahan said. As experts refine their efforts to aggregate clusters of data and as vendors develop algorithms for detecting attacks, there should be "a more integrated common view across firewalls, systems, phones and wireless" technology.

***

What is event correlation?

Event correlation is the process of comparing data from multiple sources to identify attacks, intrusions or misuse.

Before data can be correlated, it must be removed from individual security devices and sent to a consolidation point where it is pulled from disparate log files, compressed and prepared for placement into a database.

After data is clustered, the security event management system can begin data correlation. Because an attack usually touches many points in a network, leaving a trail, a security analyst can possibly prevent or detect an attack if he or she follows that trail.