Single architecture is the end goal

Security is generally a system made up of different parts, and enterprises want those disparate parts to communicate with each other. The conundrum is that they also want to purchase best of breed which can lead to a mosaic of vendor goods.

Avnet Corp., a computer and electronics distribution company, has been beta testing a security management system for eight months in an effort to bring together tools with distinct management architectures.

Steve Jeffers, manager of enterprise security services for Phoenix, Ariz.-based Avnet, said the company had been using Symantec Corp.’s ESM (Enterprise Security Manager), a policy and configuration management and auditing tool, and Symantec’s host-based intrusion detection tool for almost three years.

When he decided he would like to integrate those tools, he found that Symantec had a product coming out that he could beta test. Jeffers and his staff have been using SSMS (Symantec Security Management System) to converge their tools to a single management architecture and reporting console.

SSMS is a set of management applications designed to help CIOs and CSOs control their security infrastructure and correlated information.

Symantec said this tool would allow Symantec’s event-management and incident-management tools to talk to each other, and even to integrate with non-Symantec tools.

The management system is built on Symantec’s new platform – the Symantec Enterprise Security Architecture (SESA) – which is the common foundation that all future Symantec products will be built on. It’s based on open standards, and it will allow security tools to run on Microsoft, Linux, AIX, Unix and other platforms.

Avnet has expanded its initial implementation by testing the ISS RealSecure collector, which is Symantec’s tool for reporting network-based intrusion detection from another vendor’s ISS (Internet security systems). They are going to look at working on applications next. Jeffers said if they can code some collection from the event logs of applications and prompts, then they can bring those under the SSMS umbrella.

“From the reporting and consolidation perspective, every product that you bring in under that umbrella simplifies your understanding of all of the disparate alerts and events that are being reported by all these systems,” Jeffers said.

He added that it makes a compelling argument, similar to the argument network management went through years ago. “Back then you had Cabletron and Bay Networks – how do you report all that and manage it under one roof?

“Direct management of (security systems) is going to be a little more tricky than it was for network management because you are not going to be able to settle on that 90 per cent Cisco shop. You’re going to be, ‘Well, I’ve got intrusion detection for my network, for my application security, platforms, e-mail security.’ I don’t think you’ll ever see all those come under one complete umbrella.”

Security products will continue to be more diverse because there is a strong argument for best of breed purchasing, according to Jeffers.

“The Symantec product does a great job of managing Symantec products. I think a lot of vendors are moving into this SIM (security information management) space, and they are going to have that issue too,” Jeffers said.

Felipe Zarate, vice-president of business development for New York-based Net2s Inc., a technology consulting firm with an arm devoted to security implementations, said the need for this type of openness between products will depend on the implementation. There have been mumbles about interoperability between security products for some time, according to Zarate.

“This is just the same story,” he said. “But coming from a company that has acquired some of the technology Symantec has, it looks like they have the main ingredients. It all depends how they cook them.”

Zarate was referring to Symantec’s July acquisition of Riptech Inc., which provided managed security services and real-time information protection through its Caltarian technology platform. “I think the time is right for consolidation and Symantec has taken some of the best steps to get into this market.”

The key now, Zarate said, will be seeing if Symantec can walk the walk. “They are going to be able to sell this management solution, but can they deliver? There is nobody else with this product today.”

Kevin Krempulec, Canadian corporate manager for Symantec, said the biggest concern for customers is that there is too much data from various disconnected devices and system alerts.

Jeffers concurred, saying that it is important to be able to separate the wheat from the chaff. In terms of false positives, which Jeffers called “par for the course”, security managers want a tool that can coalesce all those events and then they can produce a new set of alerts that are more in tune with the enterprise.