Making Sense of Your Security Tools

Software Magazine, Feb, 2000 by Paul Desmond

IF YOU'VE BEEN AROUND the IT business for a while, chances are you remember the days when it was common to have multiple management consoles in your network operations center. Each type of device, be it a modem, hub, router, or server, had its own element management system. It wasn't until tools such as HP's OpenView and Sun's SunNet Manager came along that users could get a single, consolidated view of their network.

"Security is in need of that same type of model," says Reed Harrison, vice president for professional services and product strategy at e-Security Inc., based in Naples, Fla. (www.esecurityinc.com). Users today have myriad security products, including: firewalls, intrusion detection systems, antivirus software, virtual private network appliances, encryption and authentication services (such as badge readers and smart cards), plus multiple logs collecting data on potential security breaches on servers and databases. But none of these systems talk to one another, and each must be monitored separately, Harrison says.

Realtime Breaches

e-Security aims to change that with its Open e-Security Platform (OeSP), a console that purports to give users a graphical representation of their network from a security perspective. Just as OpenView can tell you when a router goes down, OeSP will let you know when you've got a potential security breach, as it's happening.

e-Security goes to great lengths to play up the real-time aspects of OeSP. In November, it even joined with the SANS Institute, a cooperative research and educational association focused on security, in creating a new security discipline: Real-Time Security Awareness (RTSA). The idea is to provide an allencompassing view of the security landscape and correlate alarms from various devices to point users to the source of potential security problems.

"It's continuous online auditing," Harrison says, which is something that is all but impossible today given the number of log files that are constantly generated.

OeSP is based on an Oracle database running on a Solaris 2.6 machine. e-Security has developed software agents that collect data from various security devices and sources. To date, the company has 29 such agents, with more being developed as customers demand.

Agents and Alerts

Most firewalls, IDSs, and other security devices have the ability to send SNMP alerts. e-Security programs them to send alerts to the OeSP console for myriad events, such as someone trying to log in to a Cisco router using the default Cisco admin account. Even if the event was blocked, it's something that users should be alerted to because it means somebody who knows a little too much about your network is trying to break in.

For products that are not SNMP-enabled, such as a Solaris syslog on a server, the e-Security Workbench tool can be used to create agents that watch for predefined activities and either alert a user when they occur or log the event and count it toward a threshold. Alternatively, if a security system has its own management console, OeSP can be configured to communicate with it instead of each individual end device.

This idea of agents watching multiple security products at once is a powerful concept that leads to proactive security, Harrison says. It allows you to create customized events that can be flagged.

For example, you may have a PeopleSoft human resources system running on top of an Oracle database, each of which has some sort of super-user ID that has all-powerful privileges. An intruder may launch a slow, persistent attack on such a system, trying maybe twice per day to break the super-user ID on both the Orade and PeopleSoft systems. "That will be flagged," Harrison says. "It shouldn't happen. No one person would have access to both those accounts."

An OeSP add-on, the e-Security Management Desk can help customers deal with security alerts as they crop up. It manages the workflow for customer response to security incidents and alerts the appropriate people according to the type of incident by e-mall, page, or automated voice response. Following predefined corporate policies, the tool also reminds each member of the incident response team of the steps that are to be followed, including escalation procedures and personnel notifications.

While it may seem like it would take a good long time to think of and program for every possible such security incident and response scenario, Harrison says the system can typically be installed and reporting value information within five to 10 business days.

The OeSP console costs $32,995. The Management Desk, scheduled for release in March 2000, is priced at $49,995. The e-Security Administrator Workbench tool, for creating e-security agents, is priced at $9,995.