‘Third Generation’ Event Management

• By Steven Titch
• May 23, 2008

Event management, like social engineering, is one of those security terms whose innocuous name belies enormous significance of purpose, even moreso in the network-centric environment.

CSOs associate the phrase with identification and isolation of perimeter intrusion and trespassing, and it’s heard more and more in the context of video analytics. The term in also used on the IT side, in a way that’s directly analogous -- the tracking and targeting of external network attacks.

Security event management itself is caught up in applications convergence. In the past three years it has merged with the security information category. Vendors and market analysts more commonly refer to the market as security information and event management (SIEM). Players include CA, Check Point, eIQ Networks, IBM, Novell, RSA (through its EMC subsidiary), Symantic, and ArcSight, which identifies itself as the leading pure play SIEM company.

Earlier this month, Gartner Inc. placed ArcSight, along with RSA and Symantic, in the “leaders quadrant” in it 2008 Magic Quadrant for SIEM. The Magic Quadrant is a graphical representation of a marketplace at a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace.

ArcSight provides an integrated platform for collecting, processing and assessing security and risk information in all areas of the SIEM landscape. As with most SIEM technology, ArcSight’s ESM, Logger and Threat Response Manager provide real-time analysis of security alerts generated by network hardware and applications that help companies respond to attacks faster and organize immense volumes of log data, principally for compliance purposes.

ArcSight, however, is pushing SEIM applications beyond threat detection and logging into forensics and behavior profiling, says Rick Caccia, vice president of product marketing at the Cupertino, Calif., company.

First generation SIEM systems, Caccia says, analyzed threats at the perimeter. The second generation brought in log management. The third generation, emerging within the last 12 to 18 months, adds a dimension of intelligence. ArcSight’s platform, he says, brings together network activity data from enterprise firewalls and servers down to client hardware used by employees and processes it with logging data. “We apply those two engines and figure out baseline profiles against which behavior can be matched,” Caccia says. Enterprises can use SIEM effectively to stop hackers and fraud, but just as much damage can be done, if not more, from authenticated users. “We’ve gotten good at detecting external threats, but we haven’t gotten good at inside threats. We need to know who’s on the network and what they are doing,” he says

The latest SIEM platforms can take multiple unrelated pieces of information and, if a certain pattern is detected, trigger an alarm. For example, there is the case of an engineer who regularly works from 9 a.m. to 6 p.m. Suddenly, he’s coming in at midnight. He’s accessing hundreds of documents he has never call up before. He’s doing a lot of print jobs. And his Web logs show he’s spending a great deal of time at Monster.com.

Each of these instances is not remarkable by itself and a conventional SIEM system may log them all. Taken all together, however, it may signal that an employee may be planning to leave the company and take confidential material with him -- a situation that both CSOs and CISOs must respond to. Enterprises, Caccia says can now use SIEM systems to flag a pattern of actions that, in the past, have created trouble.

Moreover, SIEM systems are within reach of mid-sized enterprises. ArcSight has basic packages for smaller computers and networks starting in the $20,000 range. Systems scale from there, with pricing depends on the number of events per day and the number of devices connected. Caccia says ArcSight has customers use ESM to log as many as 100 million events per day from more than 50,000 devices.