‘Third Generation’ Event Management

Event management, like social engineering, is one of those security terms whose innocuous name belies enormous significance of purpose, even moreso in the network-centric environment.

CSOs associate the phrase with identification and isolation of perimeter intrusion and trespassing, and it’s heard more and more in the context of video analytics. The term in also used on the IT side, in a way that’s directly analogous -- the tracking and targeting of external network attacks.

Security event management itself is caught up in applications convergence. In the past three years it has merged with the security information category. Vendors and market analysts more commonly refer to the market as security information and event management (SIEM). Players include CA, Check Point, eIQ Networks, IBM, Novell, RSA (through its EMC subsidiary), Symantic, and ArcSight, which identifies itself as the leading pure play SIEM company.

Earlier this month, Gartner Inc. placed ArcSight, along with RSA and Symantic, in the “leaders quadrant” in it 2008 Magic Quadrant for SIEM. The Magic Quadrant is a graphical representation of a marketplace at a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace.

ArcSight provides an integrated platform for collecting, processing and assessing security and risk information in all areas of the SIEM landscape. As with most SIEM technology, ArcSight’s ESM, Logger and Threat Response Manager provide real-time analysis of security alerts generated by network hardware and applications that help companies respond to attacks faster and organize immense volumes of log data, principally for compliance purposes.

ArcSight, however, is pushing SEIM applications beyond threat detection and logging into forensics and behavior profiling, says Rick Caccia, vice president of product marketing at the Cupertino, Calif., company.

First generation SIEM systems, Caccia says, analyzed threats at the perimeter. The second generation brought in log management. The third generation, emerging within the last 12 to 18 months, adds a dimension of intelligence. ArcSight’s platform, he says, brings together network activity data from enterprise firewalls and servers down to client hardware used by employees and processes it with logging data. “We apply those two engines and figure out baseline profiles against which behavior can be matched,” Caccia says. Enterprises can use SIEM effectively to stop hackers and fraud, but just as much damage can be done, if not more, from authenticated users. “We’ve gotten good at detecting external threats, but we haven’t gotten good at inside threats. We need to know who’s on the network and what they are doing,” he says

The latest SIEM platforms can take multiple unrelated pieces of information and, if a certain pattern is detected, trigger an alarm. For example, there is the case of an engineer who regularly works from 9 a.m. to 6 p.m. Suddenly, he’s coming in at midnight. He’s accessing hundreds of documents he has never call up before. He’s doing a lot of print jobs. And his Web logs show he’s spending a great deal of time at Monster.com.

Each of these instances is not remarkable by itself and a conventional SIEM system may log them all. Taken all together, however, it may signal that an employee may be planning to leave the company and take confidential material with him -- a situation that both CSOs and CISOs must respond to. Enterprises, Caccia says can now use SIEM systems to flag a pattern of actions that, in the past, have created trouble.

Moreover, SIEM systems are within reach of mid-sized enterprises. ArcSight has basic packages for smaller computers and networks starting in the $20,000 range. Systems scale from there, with pricing depends on the number of events per day and the number of devices connected. Caccia says ArcSight has customers use ESM to log as many as 100 million events per day from more than 50,000 devices.

About the Author

Steven Titch is editor of Network-Centric Security magazine.

Featured

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

  • DHS to End ‘Shoes-Off’ Travel Policy

    Homeland Security Secretary Kristi Noem announced a new policy today which will allow passengers traveling through domestic airports to keep their shoes on while passing through security screening at TSA checkpoints. Read Now

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.