Log activity can tell a lot about systems in a Windows shop, including when viruses or other malware try to gain
entry. But unless IT managers can analyze the data quickly and pinpoint problems, it isn't of much help in protecting the network.
IT managers create layers of network protection that include firewalls, anti-malware products and gateway protection devices, among others, with an eye toward eliminating security gaps. The activity logs created by these network components can tell IT managers about potential threats and their source.
But when large corporations are capturing as many as 50,000 logged events per second, finding problems within the logs quickly becomes a Herculean task, according to Nick Selby, senior analyst and director of the Enterprise Security Practice at the 451 Group, a technology analyst company based in New York.
One way to make sense of the network's log data is with security information management systems. Using SIM technology, various logs are collected and then analyzed by a correlation database. The data determined to be a potential or actual problem is then sent onto a console, where IT managers can see it and take any necessary action.
Log data is collected and analyzed for IT managers
SIM technology, which has been around since the late 1990s, are usually either software that runs on a server platform, such as Windows, or a network appliance that includes the software. Many consist of software that gathers logs throughout the network and sends them first to a collection point, then on to a correlation engine, where the data is analyzed. The results are then sent on to a console so IT managers can assess any potential or actual threats it has found.
"They do a very good job of collecting log information from a wide variety of sources," said Selby. "They help break through the din, and what bubbles up through it can be analyzed."
Although the tools are useful, they're not cheap. SIM systems range on the high end from Cupertino, Calif.-based ArcSight, where a package could average about $200,000, to those by eIQnetworks, based in Acton, Mass., which average about $15,000 per package. There are also roughly 15 other vendors with systems that range in between those two.
Smaller companies may find even the lowest priced choices a little too rich for their budgets. Although anything that can help with log analysis is good, said Susan Bradley, a Microsoft MVP and certified public accountant at Tamiyasu, Smith Horn and Braun Accountancy Corp. in Fresno, Calif., a SIM system would be too costly for her budget. Instead, Bradley said she uses a firewall dashboard that alerts her to potential problems and costs $150 for an annual license.
SIM technology available for big Windows installations
Large Windows shops can take advantage of SIM technology through systems like Edison, N.J.-based netForensics' nFX OSP, which uses open source architecture to providing security information management across a complex, mixed-platform network, including Windows.
Another option is a Windows-based SIM system like Network Intelligence's Envision, which uses its own log data storage technology to support log collection from a variety of system devices.
Brett Osborne, a systems security engineer at Melbourne, Fla.-based Harris Corp., said the SIM technology his company installed at a critical federal agency in Florida has alerted IT managers to potential problems. Harris Corp. provides IT and communications services to government and commercial organizations.
"In at least one case there was inappropriate traffic to a peer-to-peer [Web site], which is forbidden at the agency," Osborne said. It was a music downloading site, which often transmits viruses or other threats to users, so they are off limits to agency workers. The SIM pulled the data out and made it available quickly, when previously it would have taken too much time and effort to ferret it out, he said.
Although there have been concerns about these products generating too many alerts, the sets of rules programmed into them can be tuned by companies for their particular needs, according to Diane Kelley, service director at The Burton Group, a research company based in Midvale, Utah.
The technology is also used by many larger companies to prove they are complying with regulations like Sarbanes-Oxley, which requires companies to store certain data, access it easily and show that it is protected no matter where it is located in the network.