Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

iQ MAGAZINE

Managing Security Data

Security systems produce a sea of data to be analyzed, acted upon, and reported. Here's how to bring it under control.

By Leslie T. O'Neill
Illustration by Doug Ross

Summary

Now that IT staffs have added intrusion detection and prevention systems, firewalls, and virtual private networks (VPNs) to their networks, they're awash in event log files, alerts, and false positives. Add the regulations that require compliance reports and audits, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley Act (SOX) and the European Union's Revised Basel Capital Accord (Basel II). Unless you have the proper monitoring and response system, it's easy to get lost in the sea of data.

Legacy Marketing Group, a financial services organization in Petaluma, California, must meet requirements for multiple regulations, including the Gramm-Leach-Bliley Act (GLBA), SOX, and HIPAA, according to Troy Myers, IT network planning manager.

"In addition to the standard policies auditors ask for—business continuity plans, system access controls, physical and environment controls—we are also required to provide information only collected by network devices and stored in separate log files," he explains. "The difficult task is to gather all of these log files into a useful, logical format."

Like other SMBs, Legacy needed to transform that data into meaningful, actionable information to better protect its network as well as meet regulatory requirements. With a budget of no more than $15,000 and in less than two months, Myers and NetworkGuys, Inc., a Cisco Premier Certified Partner, solved this problem by deploying a single device: the Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS), a security information management (SIM) appliance.

The Solution: A SIM
A SIM is an all-in-one security appliance that has emerged in just the last few years. By centralizing, correlating, and prioritizing log data from various devices and presenting it in easy-to-use formats, it efficiently simplifies network security data management. A SIM combines log analysis and event correlation in real time with intrusion prevention, which allows you to:

  • Monitor and control security appliances and software on your TCP/IP network from one centralized console
  • Automatically collect and correlate crucial network and security event data
  • Easily identify and quickly respond to new threats
  • Meet regulatory data management requirements
  • Do audit reports for regulatory agencies

"Recently, compliance has driven the big changes, moving from looking just at the network and system levels to also looking at user access level events," says security and privacy expert Amrit Williams, a research director at Gartner.

IT staff can use network-security information to comply with regulatory requirements as well as develop new security policies. A SIM can provide a systemwide view of the network and the data path a potential threat may traverse; a network administrator can use that information to define a security policy that bans that type of user access or traffic.

Often, auditors check to ensure you're enforcing the policies you've defined. Because installation and use don't require in-depth security expertise, a SIM is simple for a small IT staff to manage. With a SIM filtering out false positives and pinpointing potential threats, a single employee can analyze log files from dozens of network devices and applications. Any reduction in the hours spent analyzing log files can help reduce staffing costs.

Some SIMs can mitigate threats by checking for activities outside of ordinary network transactions, such as:

  • Blended attacks
  • Worms
  • Day-zero attacks
  • Spyware

If the SIM finds an anomaly, it reveals the network path of the potential attack, allowing you to send a set of mitigation commands to the traversed components, which can minimize network downtime.

A SIM can report the information it collects on network transactions, including user-access events, which can be crucial when it comes to demonstrating compliance to government agencies.

Getting Network Management Help
In addition to, or in lieu of, using a SIM, SMBs can have resellers and consultants manage their security functions and audits. In fact, security assessment and planning was among the top three consulting services SMBs purchased in 2005, according to Forrester Research.

Back to Top

About the Author

Freelance technology writer Leslie T. O'Neill has worked at Infoworld Magazine as the test center managing editor and special projects editor.

iQ Magazine, Second Quarter 2006
Download This Article

From Cisco: Bringing Useful Data to the Surface

Combining distributed threat mitigation and intrusion prevention, Cisco Security MARS is a SIM appliance that can show you what’s really happening in your network.

The appliance:

  • Monitors, collects, and correlates data from network components, including those from different vendors
  • Extracts and manages security-event data captured in router, switch, firewall, VPN, intrusion prevention system, and antivirus application logs, as well as from databases, Web and authentication servers, and network packets
  • Can automatically generate compliance reports
  • Provides visual representation of network activity
  • Proposes mitigation commands for the entire data path traversed by a threat
  • Automates the process of detecting and stopping anomalous activities

Unlike some SIMs, the Cisco Security MARS can help adapt to and mitigate threats as they occur. If it sees a security incident that it thinks you should address, it will tell you, down to the specific device or port, how you can apply a line of configuration to stop that traffic flow.