Security event managers rule the roost

See editor’s note at end of review

You won’t find many IT products as ambitious as the SEM (security event manager), which attempts no less than to track, correlate, and ultimately make sense of a vast number of events occurring throughout a sprawling enterprise network.

SEMs monitor the logs from security devices such as firewalls; watch over vulnerabilities uncovered by vulnerability scanners; and monitor the activities of operating systems, Web servers, PBXes, and any other device that resides on the network. They also, of course, keep tabs on users and managers as they go about their normal — or not-so-normal — activities.

These products can also be tasked with carrying out functions related to all of the above responsibilities, such as looking for devices or activities that don’t comply with regulations or company policies. Moreover, they have to report what they find in a manner that mere mortals can understand, and they must preserve everything in an auditable form.

Being all things to all people isn’t easy. These products are complex. Fortunately, our evaluation of SEMs from e-Security, Network Intelligence, and Symantec was aided greatly by the vendors themselves, who supplied field engineers to configure their solutions for our test network, demonstrate their SEM’s capabilities, and submit their products to our tests of essential SEM functions. Our primary test was to evaluate the solutions’ monitoring and correlation capabilities, using a Spirent Avalanche load-testing appliance to simulate a combination of legitimate network traffic (administrative, Web, and e-mail) and suspicious activity (viruses, worms, break-ins, and attempts at unauthorized access).

In addition, we focused on manageability features, including the power and ease of configuring case workflow and detection rules, and the ease with which day-to-day users could view the necessary information about security events. We also considered interoperability and scalability, including how easily each product could integrate into an existing enterprise infrastructure, the number and types of devices it could collect information from, and features for handling large volumes of events and large amounts of data. We did not test performance; the events per second figures noted below, which represent the number of events the solution can process when running on dual-Xeon hardware, were supplied by the vendors.

By the time we finished our testing and carted the smoking remains of our first infrastructure to that great repair depot in the sky, we’d found that there is no single road to SEM success. In fact, with these relatively different SEMs, we were, quite frankly, surprised that their results tended to be uniform.

An SEM primer

There are two types of SEMs — appliances and software applications — and the products reviewed here span both categories. The Symantec Security Information Manager 9550 and the Network Intelligence 7550-HA are appliances. The e-Security product, Sentinel 5.1, is a software package that must be installed on a server.

The advantage of choosing an appliance over a software-only solution is that you get a machine that’s designed and optimized specifically for that purpose. For example, both of the appliances came with their databases already installed and configured.

But that’s not to suggest that a software-only SEM is an inferior approach. As long as you go out and get at least what the vendor recommends, you’ll be fine.

All three products tested were fairly easy to install, but the appliance-based solutions were by far the most straightforward. Although it’s not particularly difficult to bring up an SEM, there’s a lot more work to be done behind the scenes: You’ll have to find a way for the SEM to get information from all of the devices on the network.

Some of the SEM products made the process of adjusting to the network easier than did others. The Symantec 9550, for example, auto-detected much of the information about the network and therefore required less user input. But all of the products required configuration and tuning to make sure the network provided information to the SEM itself.

As a result, the full SEM configuration process may take many more hours, or even days, beyond initial setup, depending on your infrastructure and staff expertise. In other words, don’t plan on having one of these up and running if you start the deployment process a week before your Sarbanes-Oxley or HIPAA audit.

When everything is up and running, there is no advantage to having an appliance or a software-only SEM. Both types performed well, and our top-scoring products included one of each: the Network Intelligence 7550-HA appliance and the e-Security Sentinel 5.1 application.

e-Security Sentinel 5.1

e-Security’s engineers made short work of incorporating the firewalls, switches, servers, Snort IDS, and other devices on our test network into their SEM, as well as two devices none of the vendors were prepared for: an Extreme Summit replacement switch and an Ingate SIP firewall. Ultimately, all of the vendors were able to hook these in, but e-Security was the fastest, completing the job in less than an hour.

Sentinel proved easy to use and very powerful. The product’s graphical display is designed to give you a very clear look at the overall status of your enterprise yet makes it simple to see the data behind the images. If you click on a device on the network, for example, you can see immediately what other devices it communicates with, as well as view all problem IP addresses at a glance.

When you discover a potential problem, the product’s iTrac module manages nearly all of the steps required to investigate it. It makes sure that all policies and procedures are recorded and followed as required, and you can add additional functions and policies for your company’s specific needs.

e-Security designed Sentinel so that it can be operated by a number of people, each with defined tasks. In a practice that’s becoming more common in security products, Sentinel’s policies ensure that security managers can see only those functions they are authorized to perform.

Sentinel depends on its message bus, which works with its correlation engine to allow for high-speed event correlations. According to e-Security, Sentinel can operate at speeds above 6,000 events per second on a single machine, plenty fast enough to handle normal enterprise demands.

Version 5.1 adds Control Packs, applications that run on top of Sentinel, improve usability, and offer additional features. For example, the compliance Control Packs include agents, correlation rules, and process templates to address compliance with regulations such as Sarb-Ox, HIPAA, or PCI. (Of course, e-Security is not alone here; all of the vendors in this roundup offer compliance-oriented features.)

You can integrate e-Security Sentinel with existing trouble-ticket or help-desk products, and it works with most vulnerability scanners and virtually every IDS and firewall. iTrac allows you to integrate workflows such as event and vulnerability remediation, trouble-ticket tracking, and more, reducing the chance for errors. In addition, it can cross-map between vulnerability scanners and your IDS to evaluate potential threats, and it includes an advisor that will offer remedies for security problems.

We were impressed with Sentinel’s speed, flexibility, and capacity. Its clear displays not only give you the big picture but also deliver any level of detail you want with a few mouse clicks. Sentinel has only become easier to use and integrate into your enterprise; if you need an SEM, you can’t go wrong here.

Network Intelligence 7550-HA

Network Intelligence built the HA series of SEM appliances for speed, and it shows. The midrange 7550 we tested can handle steady streams of 7,500 events per second, and it can handle bursts above 9,000.

It’s important to note that the three speed limits on this box — 2,500, 5,000, and 7,500 events per second — are license-driven and that you can upgrade with a relatively quick license change. In fact, because the hardware event-processing speed is modular, it will handle event bursts that exceed your events-per-second license limit. A company representative said Network Intelligence would never allow license limits to cause events to be dropped, so you get all of the capability and speed of the more powerful device for less money if you have a smaller network.

One reason for this speed is Network Intelligence’s nonrelational database. The proprietary database is designed specifically for gathering and storing security events as quickly as possible. The 7550 doesn’t use a relational database, so it can compress collected data by 95 percent. Also, the database isn’t normalized, so no event data is lost. Each event receives a digital fingerprint to prove the chain of custody.

A unique feature of the 7550-HA is system baselining. The 7550-HA learns the enterprise’s normal operational characteristics and can raise alarms if normal parameters are violated. This is especially useful in zero-day attacks, where the signatures necessary to detect the threat don’t yet exist.

In addition to being fast, the 7550-HA appliance can detect “low-and-slow” attacks. Events are stored for correlation for 30 hours, so security events that happen only occasionally, such as a bad user or password entry from a single IP address outside the network, are still picked up and monitored to ensure they aren’t under-the-radar break-in attempts. Although other SEMs have similar capabilities, only the 7550 retains events in active memory for such a long time.

The 7550-HA’s enVision management software uses a speedometer and gauge metaphor to display important information at a glance, with more detailed data only a click away. Much of the background information is displayed as charts and graphs in the well-organized and well-designed interface.

As does e-Security Sentinel, the Network Intelligence appliance can set permissions for different levels of users, as well as individual permissions so that console operators can see only the tasks they’re permitted to perform. Network Intelligence also added a complete set of compliance reporting and monitoring functions to the latest version of the 7550-HA.

The 7550-HA is easy to use, easy to implement, and blazingly fast. It should meet any enterprise’s security management needs.

Symantec Security Information Manager 9550 Appliance

Symantec’s new appliance enters a very competitive market with a capability that nothing else can match — a complete subscription to the company’s impressive DeepSight Threat Management System. The DeepSight global security service gives the 9550 access to intelligence about security events happening elsewhere around the world.

Aside from the DeepSight connection, Symantec’s appliance includes IBM’s DB2 relational database, a terabyte of storage, and support for external storage and external databases.

You can use both your vulnerability scanner and DeepSight to determine your risk exposure and the business impact of security events. Symantec also includes the company’s LiveUpdate feature, which will keep the 9550 constantly updated with the latest security alerts and advisories.

As delivered, the 9550 can collect and store as many as 3,000 events per second — an average rate — but its correlation engine can handle 21,000. It scales reasonably well, although the only means of scaling is to buy more hardware. Larger enterprises can choose to bolster the 9550 with less-expensive 9500 collection engines.

You operate the 9550 using Web and Java interfaces. Unfortunately, the Java virtual machine used by Symantec is Windows-specific. Whereas the interface is well-designed and organized, the dashboard is sort of a look-but-don’t-touch display: Clicking on the graphics, for example, won’t allow you to drill down. If you move to the graphs that support the dashboard, however, you can drill down from there — so although the dashboard display is inconvenient, it’s not the big hurdle it might seem.

The Symantec 9550 has some powerful SEM capabilities and is quite good, especially for smaller organizations where scalability isn’t a concern. With its links to DeepSight and LiveUpdate, Symantec has the potential to make some major strides in managing security for large enterprises.

SEM selection: No simple task

Choosing a security event manager is not a task to be taken lightly. The SEM will have access to your company’s most intimate details, and it will affect every aspect of your company’s daily life. It must be capable of collecting information from any device on your network, of churning through high volumes of network activity, and of identifying meaningful events — real security threats or policy violations — in a sea of noise.

In these respects, all three solutions deliver the goods. Whichever of these SEMs you choose, you’ll no doubt find that it will talk to anything you need it to. Network Intelligence and e-Security did the best job of this in our test, although Symantec deserves kudos for providing a solid tool for designing custom collectors.

Similarly, all three SEMs adequately identified meaningful events among all of the activity on our test network; they even discovered an incompletely configured DNS server we were unaware of before testing. The important differences we found were in ease-of-use, manageability, and scalability. In these respects, e-Security Sentinel and the Network Intelligence 7550-HA held the edge.

In addition to providing the best user interfaces and reporting features, e-Security Sentinel and the Network Intelligence 7550-HA can handle a heavy transaction load. Ultimately, the scalable architectures of these two solutions should also result in more powerful correlation capabilities because they are capable of taking more data into account.

This is not, however, to suggest that the Symantec solution is unsuitable. If Symantec’s global intelligence service and automated updating are vital because your company has global exposure, then its somewhat lower level of performance might not be a problem.

In short, all of these products get the job done. The one that’s best for your company will depend very much on your organization’s size, scope, and security needs.

Editor’s note: The original version of this article included reviews of ArcSight Enterprise Security Manager 3.0 and Micromuse Netcool/NeuSecure 3.0. Because inaccuracies regarding the features and capabilities of the ArcSight and Micromuse products may have compromised their evaluations, we have removed these products from the review.