Aug 10 2010

Security Smarts

Agencies employ security information and event management systems to make sense of security alerts.

As cyberthreats proliferate and become more dangerous, IT professionals need all the help they can get to protect their organizations. Enter security information and event management (SIEM), an essential tool for analyzing and prioritizing the plethora of event information and security logs that networks generate.

Available from makers such as Check Point, Cisco Systems, Juniper Networks, Novell, RSA and Symantec, SIEM systems help IT react to security incidents quickly, says Jerry Shenk, senior analyst with the SANS Institute. By analyzing and correlating events that occur on a network — from a user logging on to a database being queried to a router being unplugged — then prioritizing these events according to preset definitions, SIEM sifts through millions of log records to efficiently report on the critical incidents that require immediate attention. Reporting capabilities also aid investigations and further regulatory compliance by providing a record of events.

SIEM is helping Navy security analysts make sense of the onslaught of alarms and other information generated by devices on its network, which supports roughly 1 million users. Before deploying SIEM, it had been physically impossible to keep up with the alarms that the Navy’s many intrusion detection systems were producing on a daily basis.

“There was so much data that the people we had on watch had 1.4 seconds to look at each alarm, if they never did anything else during the entire day,” says Jim Granger, director of capabilities and readiness at the Navy Cyber Defense Operations Command (NCDOC) in Virginia Beach, Va. “We knew we were going to deploy more IDSes, and we knew we needed something to handle those alarms.” The Navy chose Novell Sentinel to be the front end for Prometheus, the cyberdefense arm’s suite of tools that monitor, report on and prevent malicious activity on the network. NCDOC relies on Sentinel for the aggregation, correlation and filtering of security alarms and information coming from the many devices attached to the Navy’s network.

“Sentinel offers our analysts a lot more opportunity to dig into the information in ways that they weren’t able to see it before — there was too much of it, it wasn’t in context, and they couldn’t digest it,” says Granger.

Now the Navy’s security pros can keep up with the growing number of alerts as the Navy adds more devices to the network. “What we’ve found is that the amount of sensors we have has grown considerably faster than our manpower,” he says. “We haven’t reduced manpower, but we can add a lot less manpower because of Sentinel than if we didn’t use it. If I multiply the number of sensors by 10, I only need to double or triple my manpower.”

Conquering Complexity

The need for SIEM is evident, says Shenk. “Even very small organizations can generate millions of events a day, and you simply can’t read all of those logs,” he says. “People need something to help them process all of that information.”


Percentage of respondents at midsize organizations who said detecting and preventing unauthorized access and insider abuse was the top reason to use log management, which is a subset of SIEM.

Source: SANS Institute, June 2010

Using SIEM and other security tools from ArcSight to correlate alerts and events from all the devices on its 58,000-user network, the Federal Aviation Administration’s Cyber Security Management Center has been able to reduce staff while still effectively detecting potential threats.

“Instead of having five to eight people on a midnight shift, we now have two or three,” says Christopher Garcia, director of the center. “The technology is doing all the very basic, grunt-level work so we don’t have to hire people to do that; we can reallocate or cut back on personnel.” With ArcSight performing the first level of analysis, Garcia’s staff can focus on the second and third levels, thereby making better use of their time.

ArcSight’s ability to correlate and integrate data in real time, with a high volume of input and from a wide variety of sources, is particularly helpful, says Garcia. “ArcSight has more connections and can take in more feeds than any other product.”

Once an organization trains its SIEM product to understand the organization’s environment and its security priorities, IT staff can spend less time scanning logs and chasing down alerts because SIEM products consolidate that information in order of importance, as defined by the organization. Shenk says this makes IT staff more productive because they can rely on SIEM to tell them when an event is routine and can be reviewed later — if at all — versus a security incident that requires immediate attention.