Vendors in favour of SIM-plicity

As security continues to hold a leading position among network managers’ top concerns, a new concept is changing the way the enterprise looks at security – literally.

The latest acronym in an industry full of them is SIM – security information management – a term that vendors and analysts alike are touting as the basis for securing businesses across the globe.

In its simplest context, SIM refers to such things as event correlation, device management and policy consolidation assessment. Security vendors have begun to realize that enterprises have deployed different products from different vendors. These disparate systems, containing firewalls, intrusion detection systems (IDSes), antivirus solutions, among others, each generate their own flags and event logs. The administrator in charge typically ends up with a sky-high pile of reports to sift through for meaningful data. SIM products can normalize or translate data from these disparate systems into a common format so the data can be correlated.

Leading the SIM brigade, security giants Symantec Corp. and Check Point Corp. recently issued announcements revealing their much-anticipated SIM solutions. Last month Check Point outlined its security management architecture (SMART) road map and its Open Platform for Security (OPSEC) partner program. According to Upesh Patel, OPSEC Alliance manager in Boston, the SMART architecture allows customers to build a single security policy, implement it and enforce it across the various disparate devices in their environments.

“Some people consider management looking at events coming out of a number of products and basically providing a nice GUI to look at all those events,” Patel said. “Some people look at management and say it is really about software updates and making sure your policies are enforced and…are constantly updated. When we talk about management, we talk about it from a very global perspective, so that it spans not only your network security, but your application security, your Web security and your VPN security.”

How Check Point implements this security umbrella, Patel explained, is through a number of enforcement points like its VPN-1 and Firewall-1 products, as well as through third-party vendors. In its OPSEC program, Check Point has over 300 third-party vendors that devise and build specific security products to solve specific security issues.

“We are talking about things like antivirus, filtering, IDS and all these other components that make up a robust security architecture,” he said. “We work with these vendors to basically enable them to integrate into our SMART architecture and also leverage what we already have.”

Symantec Corp. has a similar approach to SIM with its Symantec Enterprise Security Architecture (SESA). According to Canadian General Manager Michael Murphy, SESA is the framework of what Symantec has based its recent solutions on and will be the basis for future solutions going forward. In a recent announcement in New York, the company introduced its Symantec Security Management System, a solution that will let its event management and incident management tools communicate with each other.

Symantec has also launched a partner program in hopes of luring third-party vendors to build “collectors” that would collect event data from their equipment and share it with the Symantec offering. The result, according to Murphy, is ease of use for the administrators.

“Customers may not know what they need specifically, but they know what they want,” Murphy said. “They can at least articulate what would save them time, money and liability and increase productivity. Our management announcements aren’t something we dreamed up in a vacuum without talking to customers.”

Murphy explained that many customers are saying their environments are too complex. They are dealing with several vendors, several products and a lack of expertise on their staff to deal with the complexity and frequency of the threats that are out there today.

“Let’s look at security: we have intrusion detection as a box; we have the firewall as a box; we have…antivirus; we have vulnerability management or network assessment in a box. How do we take all that data, because today the threats and vulnerabilities cross all those areas? It is about integration. It is about simplified management and it is about quick analysis of data to allow you to respond,” he said.

As far as one customer is concerned, there are benefits to both SIM offerings. Victor Keong, partner with the security services group at Deloitte & Touche in Toronto, has been a Symantec and Check Point customer for some time, and often uses products from both vendors when rolling out security services for his customers. According to Keong, the Check Point alternative comes with best-of-breed products that are tried and tested.

However, he said that the issue isn’t so much that the systems are hard to manage, but rather that they are difficult to integrate.

“Even though the products are all OPSEC-certified, there are still a lot of kinks during the integration process,” he explained, referring to a project the company was involved with last year where multiple enterprises has to integrate several disparate systems under the OPSEC banner.

Charles Kolodgy concurred with Keong’s assessment. Kolodgy, Internet security research manager with International Data Corp. in Framingham, Mass., said that while the issues with SIM earlier this year dealt with the immaturity of the technology, the issue now relates to support.

“What (vendors) are all pushing and talking about is being able to take events from multiple vendors and interpret and correlate them,” Kolodgy said. “Part of the measuring stick of success will be how many products (these vendors) can support. Check Point has…300-plus products in their OPSEC program. Does that mean they are going to easily integrate with all 300? You have to be sure that these products can communicate and will catch the alerts and interpret them well to give you a good picture, and not just add complication.”

While he acknowledged the efforts by security vendors to simplify security management, Keong added that another challenge is having dedicated resources to actually manage the infrastructure. He said that although SIM products may save money and some time, without proper IT staff to receive event logs and alerts, the point becomes moot.