|
Recent
Articles |
Hardware Routers Vs. Kerio Winroute Firewall
I had a call from a customer who already uses Kerio Mailserver. He had downloaded a demo of Kerio WinRoute Firewall and said he had a few questions. The first was a small technical issue that he had...
Where Is HDS In The CAS Space?
I was chatting with fellow ESG'er and avid HDS proponent Tony Asaro about an unrelated matter - how HDS has really been one of the few to take advantage of the V word - they use it as a differentiator on their big...
Presence - Useful For Webinars?
Line56 published an article Monday talking about presence becoming a more important part of IBM's collaborative environment. The article starts off with a quick 'n dirty definition of presence as "the technology that allows you to see when other people are online."
IT Services Outsourcing When You Don't Know...
IT services outsourcing is what you need to do when, not if, your prospects ask for products and services that you are not able to deliver. Many new business owners think they need to know everything. They fear not being...
Collaborative Information Security Next?
Have anyone ever been on the phone with a client after the job, where the client wants more information, needs a copy of the report, or just wants to spend some time discussing the implications of the report that...
Windows Vista Picture Clearing Up
Two stories that have been making the rounds over the weekend: First, there was some misunderstanding that Vista's licensing terms have been changed to make them more restrictive and remove rights away from...
Intel Creates Super-Spiffy New Chip
The latest prototype from Intel involves some very popular buzzwords - "silicon," "hybrid," and "laser" are all present, and the company's Silicon Hybrid Laser (HSL) chip could act as "a breakthrough that will propel...
|
|
|
01.30.07
Security Event Manager Review
 By
Dan Morrill
Over the last few months I have been fortunate to beta test, or test a number of information security tools to see how well they would work in a high volume environment.
It is not every day that you run into a tool that not only does what it is supposed to do, but is very simple to install, integrate, and operate. High Tower Security Event Manager is one of those tools that lives up to its marketing hype and well worth discussing in the security management space.
Dark Reading talks about the convergence of NOC/SOC operations:
"The security team typically has had no say or control over the network, even though security touches the network, he notes. "But the SOC is going to get a bit more control." The NOC has historically been queasy about allowing the security team the ability to make network configuration changes based on security problems, because such changes sometimes lock users out of their authorized applications.
So the integration between the ESIM and ITSM products must offer role-based controls to the security group, the report says, so that a security analyst automatically only sees what he or she needs to see in a network device when checking or fixing a security problem. That "sanitization" is done manually today by network administrators." (Dark Reading http://www.darkreading.com/document.asp?doc_
id=115415&WT.svl=news1_2 )
High Tower fits fully into the space of ESIM and ITSM products, in that it has role based controls, that allows the Security SOC folks to see what is happening on the network and submit change requests by watching how traffic flows across switches, routers, and firewalls based on real time incidents or data patterns. Without the NOC folks having to grant access to what ever monitoring systems that are already in place.
All that needs to be done is configure the syslog output from the network devices to send to two channels rather than one (increase syslog traffic) or work with any of the integration modules to access data from the systems like Snare or Snare for IIS/Apache. While you are going to have to fork the syslog and event data, it's well worth working with.
One of the other high value processes within the High Tower SEM is the ability to make a risk/threat matrix using Nessus (and other scanner) data. We used Nessus, sucked in the XML output from Nessus and threw a known vulnerable attack against one of the systems. High Tower used the data from the scan, and alerted the operator that there was a known vulnerable attack against the system. This allowed us to work with the data to identify something that was known, and build out a threat risk mapping for the systems on the networks.
There is nothing better than being able to allocate assets and respond to attacks that are happening against known vulnerabilities in servers. The ROI just having that information, and being able to allocate resources in its own right is invaluable.
The reporting function covers the standardized gamut of professional reports that will be needed for anyone to run and use an audit. This meets all the legal criteria that will make an auditor happy, all by pushing a button and running a report. You can then segregate who can run reports by using the access control system within the system, or in the 3.3 version, via AD groupings.
Overall the time spent with the High Tower SEM system was one of the few security tools that actually not only does what it is supposed to do, but does it in such a way that junior analysts can figure out what the system is saying with little ramp up time. Our Analyst was writing functioning rules with about 10 minutes of training, and is able to run the system at this point. For technology, it's all about simple for Tier 1 and this product makes it simple. It's well worth checking out.
Full Disclosure: I am not being compensated for talking about High Tower, but I did talk to the vendor about this entry, and other people and decision makers within the local decision process about this blog entry.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
