What Security Event Management Tools Contribute
Security Event Management (SEM) tools, tools that correlate and analyze intrusion detection, firewall and other security-relevant output to provide a picture of the security condition of computing systems, networks, and applications, are playing an increasing role in information security programs worldwide. Although log aggregation and powerful event correlation based on a wide range of inputs are generally considered to be the greatest benefits of using SEM tools, a growing number of organizations are using SEM tool output to facilitate risk assessment efforts. SEM tools aid the risk assessment process by:
- Helping identify actual threats. Identifying potential threats traditionally almost always amounts to little more than a guessing exercise. For example, individuals who conduct risk assessments are likely to assume that a Web server located in a network’s external gateway will be exposed mainly to threats associated with the activity of external attackers (“hackers”). Other threats may thus easily be overlooked, however. SEM tool output shows actual, not expected attacks; in so doing, it facilitates identifying previously unanticipated threats. At the same time, the validity of already identified threats can be verified because SEM tools produce empirical data. For example, SEM tool output might show that 80 percent of attacks on an external Web server originate from unknown external hosts, 10 percent originate from known external hosts (such as hosts with IP addresses assigned to competitors), and 10 percent originate from internal hosts. Accordingly, a risk assessment could be modified to include new threats to the Web site in question—threats due to competitors as well as threats due to insiders.
- Providing more accurate and complete information. No reporting device such as a firewall or intrusion detection system is perfect; every one misses at least some of the events that it is designed to detect. An intrusion detection system may, for instance, fail to detect several attacks. The nature of SEM tool functionality can, however, help compensate for limitations of reporting devices. Information from a firewall and several host-based agents may thus result in the identification of attacks that the intrusion detection tool missed. The same principle applies to false alarms. An intrusion detection system may trigger a false alarm; if firewalls and host-based agents have not detected the attack, however, an effective SEM tool is likely to suppress the false alarm. The more accurate and complete information about security-related incidents, the more accurate risk assessments will be.
- Providing objective probability data. Because SEM tools provide empirical data about attacks and their sources, the probability of attack associated with each threat can readily be determined. The percentages in the previous hypothetical example of a Web server located in an organization’s external gateway illustrate the value of SEM tools in calculating probabilities. The more precise and objective the percentages, the more accurate risk assessments will be.
- Facilitating a more comprehensive view of risk. SEM tools deployed over
extended periods of time help compensate for a major limitation of risk
assessments, namely that they provide a view of risk only for a particular snapshot of time. Critics of risk assessment in fact generally point out that a recently conducted risk assessment is outdated as soon as it is completed. In contrast, SEM tools collect information concerning security-related events that have been initiated from a variety of sources continuously over time; they thus help build a more comprehensive view of what really is occurring over time. - Providing sanity checking for asset valuation. As mentioned previously, asset valuation is virtually always a critical step in performing risk assessments. Effective SEM tools are also helpful in that they assist in providing sanity checks for the asset valuation process by allowing importance metrics to be assigned to each asset. For example, if the asset valuation process has identified a certain asset as extremely important, but those who operate a SEM tool rate that asset as a 1 on a scale from 1 to 10, a significant discrepancy that needs to be resolved exists.
SEM technology yields a wide range of benefits (see http://www.high-tower.com/news_white_papers_stm.asp). This technology appears to be increasingly improving to the point that there are now compelling reasons for organizations to use this technology in connection with their information security programs. Using SEM technology in connection with risk assessment efforts is one among many very important benefits. In particular, SEM tool output can provide empirical information that is usually not otherwise available during the risk assessment process.
Most SEM systems available in the market have common baseline features that include event collection, aggregation, correlation, analysis and response. These features should be evaluated and considered in selecting a SEM vendor after a Risk Assessment is preformed. When selecting a SEM tool it is important to look at functional capabilities with a specific focus on critical criteria such as ease of deployment, integration of vulnerability assessment data, and monitoring and reporting functionality for regulatory and audit compliance. In short, because of all they deliver for the price, SEM tools should be viewed as an investment, not an expense. Investing in network security measures that meet changing business requirements and risks makes it possible to satisfy these requirements and enable business processes without interfering with the business' viability.
About High Tower
High Tower Software provides advanced security event management solutions that quickly improve organizational security while simplifying processes for network and security administrators. The company’s flagship product, High Tower® Security Event Manager, leverages patented analytic technology to intelligently assess security risk conditions, reduce false positives, and deliver a streamlined view of active threats to the enterprise network. For more information on High Tower’s products, please visit our Web site at www.high-tower.com or call 877-HI TOWER (877-448-6937).
By
E. Eugene Schultz,
Ph.D., CISSP, CISM
High Tower Software, Inc.
Most SEM systems available in the market have common baseline features that include event collection, aggregation, correlation, analysis and response. These features should be evaluated and considered in selecting a SEM vendor after a Risk Assessment is preformed. When selecting a SEM tool it is important to look at functional capabilities with a specific focus on critical criteria such as ease of deployment, integration of vulnerability assessment data, and monitoring and reporting functionality for regulatory and audit compliance. In short, because of all they deliver for the price, SEM tools should be viewed as an investment, not an expense. Investing in network security measures that meet changing business requirements and risks makes it possible to satisfy these requirements and enable business processes without interfering with the business' viability.
About High Tower
High Tower Software provides advanced security event management solutions that quickly improve organizational security while simplifying processes for network and security administrators. The company’s flagship product, High Tower® Security Event Manager, leverages patented analytic technology to intelligently assess security risk conditions, reduce false positives, and deliver a streamlined view of active threats to the enterprise network. For more information on High Tower’s products, please visit our Web site at www.high-tower.com or call 877-HI TOWER (877-448-6937).
How Security Event Manager (SEM) Technology Can Facilitate Risk Assessment (Part 1)
By
E. Eugene Schultz,
Ph.D., CISSP, CISM
High Tower Software, Inc.
No comments:
Post a Comment