But this dreamland quickly turns into a nightmare the second the seas of data start flooding your world. Hundreds of log entries, thousands of vulnerability alarms, six digits worth of IDS alerts -- millions of events to sift through. You're suddenly faced with an entirely new set of questions -- the primary one being, Where do I begin?
Many organizations are swallowing security technology faster than they can digest it. In fact, the market for intrusion-detection and vulnerability-assessment hardware and software alone increased by more than 90 percent from 1999 to 2000, to $539.5 million, according to Charles Kolodgy, an analyst at IDC, a research firm based in Framingham, Mass. The latest security suites aren't effective if the operators can't handle the sheer volume of information being hurled their way; security personnel are slammed enough as is.
|
What Do Readers Think?
Check out our e-poll results
on intrusion detection software.
|
Organizations rarely have the resources to investigate every event. Instead, they must attempt to identify and address the top issues, using the tools they've been given. Security personnel are being forced to practice triage: Tackle the highest-impact problems first and move on from there. The problem is, those high-risk items are usually buried under mountains of data.
An emerging field, SIM (security information management), helps keep security teams sane by empowering their operators and helping identify some of those higher-risk security events. By combining data aggregation with correlation technologies, SIM products attempt to harness the power of security data and provide the answer to a very important question for security personnel: Where should I be focusing my attention? Data-correlation techniques can do this by answering specific questions like "Have I seen this attacker's IP address before?" "Where have I seen it before?" and "How many times have I seen it before?" Some products, such as Intellitactics' Network Security Manager (NSM), even let operators classify system values, giving security teams the ability to visually discern high-impact attacks against more critical systems.
Aggregation & Correlation 101
SIM products are typically vendor-neutral and can answer the above questions using data mined from multiple products manufactured by an assortment of vendors.
But to truly appreciate SIM products' abilities and limitations, you need a grasp on the technology that drives them. The concept of storing data in a relational database and running searches on it is obviously not new. However, in the context of security products, the methods of sorting, presenting and querying data from varying device types are relatively new.
Aggregation and correlation are actually different functions. In fact, even the term aggregation can be used in different contexts. For example, data aggregation often refers to the consolidation of information into a single point of storage. Moving all router logs into a SQL-enabled database is a data-aggregation technique. Event aggregation, on the other hand, is often used to describe the act of taking a number of similar alerts or events and representing them to the end user as a single message. In the IDS (intrusion-detection system) world, this might be implemented by taking a set of intruder activities (say, a reconnaissance probe, a banner grab and an exploit attempt) and consolidating them into a single alert: "Hey -- Bozo X at IP address y.y.y.y is attacking Web Server Z!" Data aggregation is used simply as a method of herding data, while event aggregation is often employed as a means of reducing the overwhelming number of events an administrator might have to handle.
Correlation is a totally different beast. Correlation techniques often build off of an amount of previously aggregated information with the intention of performing higher-level analysis. Correlation techniques can provide insight into how many places an attacker has been, how many attacks a particular source has executed over time and what systems or networks within the organization are under the fiercest siege. Some advanced correlation engines go a step further by adding real-time, rules-driven event-handling capabilities. For example, you might create a rule that says if condition X occurs with IP address Y, store Y; and condition Z occurs with IP address Y, then perform some predefined action (generate an alert, send off a page or launch some script). This is where the real value comes in and why these products are sure to catch on for large security operations.
By arming security personnel with the tools capable of coordinating data output from varying sources, organizations can break some of the vendor-sponsored restrictions when facing the need for security triage. That's the vision anyway. The reality falls somewhere between this utopian sight and a slice of chaotic blindness. Welcome to version 1.0, baby.
|
 |
REPORTS
ANALYTICS
Follow 
