One aspect that is clearly different from previous centuries is the role of digital technologies and communications in the conduct of war, and the vulnerabilities introduced that could adversely impact critical infrastructures and commerce. Let's call that vulnerability "CMD" for code of mass disruption, which applies to cyber attacks that could impair electrical power grid, emergency services, digital communications, and transportation systems.
Since 9/11, every company has been on notice that they are vulnerable to more serious cyber attacks than the garden-variety virus or worm hack. For larger corporations and government agencies (including the Department of Homeland Security), the call to action has been to install a wide variety of technologies in hopes of preventing a catastrophic loss of business or security breaches. The toolbox includes firewalls, intrusion detection systems, intrusion prevention appliances, patches, virus scanners, and identity and policy management software.
Deploying a collection of products can mitigate the impact of cyber attacks, but you can end up with limited visibility into the big picture. It's a classic "can't see the forest for the trees" problem, due to an overload of data in separate silos, each generating alerts, and an epidemic of false positives that no company has the human resources to address.
Several smaller companies--including ArcSight, netForensics, Intellitactics, e-Security, and GuardedNet-- are tackling the security management problem.
This class of products focuses on normalising and aggregating data into a single database, and then applying various algorithms, statistical functions, and rules to correlate and visualize the data as well as initiate actions based on the analyses.
If all security systems reporting separately don't register any threats, for example, a breach might still occur but would only be recognised by data correlation across the system. This situation is similar to the issue that vexed the U.S. Government intelligence agencies in their efforts to deter terrorism. The end result of correlating data filtered from multiple sources and locations in centralised security management solutions is exposure and remediation of legitimate threats and attacks.
I spoke with ArcSight's CEO Robert Shaw about his company's approach to solving the false positive and data overload problems. "Our goal is to take millions of [security-related] events per day, boil them down to 100, and get closure," Shaw said. He described the multidimensional aspect of ArcSight's correlation system as combining the severity of potential attacks with the value and vulnerability of company assets and business processes to determine the intrinsic risk of a security event in real-time.
As an example, an employee accesses several servers with sensitive data within the span of an hour. The agent monitor for each server doesn't detect an anomaly or unauthorised access. However, correlating access data from the servers and identity management system in real-time, and applying rules governing threat detection, would trigger an alert and could even automatically deny access to that user.
ArcSight includes a reporting module and templates, and an automated notification system that can send alerts to a central console, browser, pagers, and cell phones. A typical installation begins at around US$500,000, Shaw said.
In addition, large enterprise software vendors like IBM Tivoli offer security management consoles. Computer Associates is expected to launch its E-Trust Security Command Center this summer. The company is leveraging its experience in managing enterprise networks with Unicenter as well as code for identity management, virus scanning, portal, trouble ticketing and business intelligence, according to Ron Moritz, senior vice-president of CA E-Trust Security Solutions.
Moritz described CA's forthcoming Security Command Center as a way to reduce network stress by using role-based policy management to deliver the crucial information to the right people at the right time and in the most appropriate format.
"Imagine a bank with millions of records generated across nine data centres," Moritz said. "It is a huge strain on the network. The first step is to take data generated by security devices in each geography, and interpret it locally. Then, data from the various geographies is normalised and correlated from a central console to reveal the data relationships. Finally, summaries, such as an executive view within a portal, can be presented."
In an IT world that is moving from intrusion detection toward intrusion prevention, security management solutions play a critical role. Without a comprehensive view and real-time analysis of the entire security infrastructure, you will end up lost in the forest as the trees fall on your head.
What's your take on centralised security management? Is it possible to secure your company against internal and external cyber attacks? TalkBack below or e-mail edit@zdnet.com.au.
