Turn net intrusions into a better security response plan

Network intrusions, which continue despite the best efforts of security vendors, have given rise to a new generation of security event management (SEM) tools.

Such tools ideally would interpret data from numerous network security devices, isolate the most dangerous threats and execute the most urgent fixes. Even better, products would continuously probe the network for vulnerabilities and pre-emptively eliminate them.

None of the new SEM tools offer this security equivalent to a Holy Grail, at least not yet.

At a minimum, SEM tools must monitor networks for events in real time, pull event information into a central console, filter that data and clearly present it to the network or security administrator. Tools should also work with frontline security devices such as firewalls, antivirus software and intrusion-detection systems to block attacks.

And demands are expanding. Security managers, particularly in smaller organizations, don't have the resources to tackle all urgent problems at once. They need tools that can prioritize responses.

"The reality is that organizations generally know nothing about the importance of the resources that are being targeted," said Reed Harrison, chief technology officer and co-founder of e-Security Inc., one of the first SEM vendors. "So security incidents have to be matched to the criticality of those resources."

E-Security's software tags incidence data with confidence levels that prioritize actions to guard particular resources, in effect red-lighting incidents that need an immediate response, Harrison said.

This approach, which many SEM vendors pursue, is a step toward more sophisticated, real-time risk analysis and beyond passively monitoring a network and collecting and categorizing events, according to Hugh Njemanze, chief technology officer and senior vice president of research and development for ArcSight, a subsidiary of SVIC LLC. Last November, the company announced that it is receiving funding from In-Q-Tel, a venture capital group run by the CIA.

This spring, ArcSight added a feature called TruThreat Risk Correlation to its real-time event correlation engine to periodically scan security devices across a network. It registers attributes and vulnerabilities of each host or system listed on an asset table, measuring the precise risk level for each of the assets. Based on those measurements, a set of predetermined actions can be launched to minimize the damage caused by attacks.

Responsive actions can range from notifying someone of the attack to automatically reconfiguring or shutting down a system.

"It provides a context that intrusion-detection devices by themselves don't have by showing which elements in the infrastructure are most vulnerable," Njemanze said.

Sandia National Laboratories, which recently bought the ArcSight suite of tools, already has a mechanism in place that allows managers to take the security events logged by individual intrusion-detection systems or firewalls and send reports to systems administrators whose machines might be at risk, said Jeff Taylor, computer security engineer at Sandia.

"Our thinking with something like the ArcSight tools was that, if an unusual event was seen coming into Sandia, we could go back and reclaim the event and see what the hackers were actually trying to do," he said. "We could look to see what the last scan was on a particular machine to see if it had been compromised."

Once the tools are up and running, Taylor said, they could be configured to signal people on night or weekend shifts, who may not necessarily be security experts, about unusual events. The tools could then alert security managers to take a closer look.

However, the ArcSight tools will not automatically trip security fixes, he said. Systems administrators are responsible for their own machines, "and we don't have a hammer that comes down and tells them what to do, because we really don't understand their requirements."

Many of the tools do allow some form of an automated response. They might shut down a particular communications port, for example, if any suspicious activity is detected on that port.

"But we've found that most organizations are not ready yet to take that step," said Phil Hollows, vice president of product marketing for OpenService Inc.

His company's tools drill down into the correlated data of an attack, determine the type of attack and then link to industry databases that contain information about such attacks and corresponding countermeasures. That information is automatically forwarded to the organization's security manager.

Network Intelligence Corp. follows the same process.

"About two years ago, we thought we would be getting into a more proactive response" with our tools, said Matt Stevens, vice president of marketing and technology for Network Intelligence. "But customers made it clear there was no way they would want that kind of automatic response."

Instead, the company's tools automatically link threat alerts or incidents on the network to public security databases and extract the relevant information for security managers.

In a way, said Niten Ved, chief operating officer and co-founder of netForensics Inc., event management is something of a misnomer for what users are actually demanding of these security tools.

"From a product perspective, they are actually looking for an incident- handling system," he said. "Event management systems are similar to trouble ticketing systems, and from a security perspective these require a tremendous amount of customization. Now they want systems that are much more focused on actually handling security.

"This is a whole new area of expertise that our customers are asking of us," Ved added.

Other industry experts share that view, including Richard Caliari, director of product strategy for Harris Corp., a major solutions provider to government agencies.

"Up to now, the idea has been to provide tools to allow security managers to get a better idea of what's happening," he said. "Now they want those tools to help them configure systems so they will not be as vulnerable to attack, to pre-emptively close out vulnerabilities."

Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@mindspring.com.