Tuesday, November 5, 2024

Security Event Manager Review

Over the last few months I have been fortunate to beta test, or test a number of information security tools to see how well they would work in a high volume environment.

It is not every day that you run into a tool that not only does what it is supposed to do, but is very simple to install, integrate, and operate. High Tower Security Event Manager is one of those tools that lives up to its marketing hype and well worth discussing in the security management space.

Dark Reading talks about the convergence of NOC/SOC operations:

“The security team typically has had no say or control over the network, even though security touches the network, he notes. “But the SOC is going to get a bit more control.” The NOC has historically been queasy about allowing the security team the ability to make network configuration changes based on security problems, because such changes sometimes lock users out of their authorized applications.

So the integration between the ESIM and ITSM products must offer role-based controls to the security group, the report says, so that a security analyst automatically only sees what he or she needs to see in a network device when checking or fixing a security problem. That “sanitization” is done manually today by network administrators.” (Dark Reading http://www.darkreading.com/document.asp?doc_id=115415&WT.svl=news1_2 )

High Tower fits fully into the space of ESIM and ITSM products, in that it has role based controls, that allows the Security SOC folks to see what is happening on the network and submit change requests by watching how traffic flows across switches, routers, and firewalls based on real time incidents or data patterns. Without the NOC folks having to grant access to what ever monitoring systems that are already in place.

All that needs to be done is configure the syslog output from the network devices to send to two channels rather than one (increase syslog traffic) or work with any of the integration modules to access data from the systems like Snare or Snare for IIS/Apache. While you are going to have to fork the syslog and event data, it’s well worth working with.

One of the other high value processes within the High Tower SEM is the ability to make a risk/threat matrix using Nessus (and other scanner) data. We used Nessus, sucked in the XML output from Nessus and threw a known vulnerable attack against one of the systems. High Tower used the data from the scan, and alerted the operator that there was a known vulnerable attack against the system. This allowed us to work with the data to identify something that was known, and build out a threat risk mapping for the systems on the networks.

There is nothing better than being able to allocate assets and respond to attacks that are happening against known vulnerabilities in servers. The ROI just having that information, and being able to allocate resources in its own right is invaluable.

The reporting function covers the standardized gamut of professional reports that will be needed for anyone to run and use an audit. This meets all the legal criteria that will make an auditor happy, all by pushing a button and running a report. You can then segregate who can run reports by using the access control system within the system, or in the 3.3 version, via AD groupings.

Overall the time spent with the High Tower SEM system was one of the few security tools that actually not only does what it is supposed to do, but does it in such a way that junior analysts can figure out what the system is saying with little ramp up time. Our Analyst was writing functioning rules with about 10 minutes of training, and is able to run the system at this point. For technology, it’s all about simple for Tier 1 and this product makes it simple. It’s well worth checking out.

Full Disclosure: I am not being compensated for talking about High Tower, but I did talk to the vendor about this entry, and other people and decision makers within the local decision process about this blog entry.

Comments

Tag:

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark Murdok:

Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security
, and is an active participant in the
ITtoolbox blogging community.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles