t some point in life, you've probably heard the notion that one cannot have too much of a good thing. In the case of security logs, however, this statement simply is not true. Most security systems generate mountains of disparate information. Without a consolidated and comprehensive view, this can overwhelm an IT staff and lead to poor interpretation of data. For example, in a typical enterprise, an average firewall can produce more than 500,000 messages per day. Multivendor and multidevice security architectures, as well as escalating threats, have made the problem of information overload even worse. Just when you think you have protected all the devices on your system, a deeper inspection of raw log data reveals evidence of vulnerabilities to complex threats, attacks, viruses, or worms.

Companies also face a particular challenge in converting security data into management reports to meet the burgeoning burden of regulatory compliance. Amid regulations such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act (HIPAA), the lack of centralized security logs and security event data severely limits a company's ability to generate comprehensive reports on the health and security of its network. These reports are one important factor in demonstrating that corporate and customer information is secure. Without them, companies run the risk of hundreds of thousands of dollars in fines, not to mention weeks and months of manpower to get a network in compliance with the law.

However, help is here in the form of Security Event Management (SEM). SEM systems are designed to empower administrators to make sense of their most critical security information. They also help network gurus identify and analyze nagging security threats and take decisive actions to prevent them. These tools pull together the masses of data generated by standalone security products and present the information to network administrators in a coherent and useful format. Without SEM, security logs are like a million voices speaking at once—a real cacophony. With SEM, these logs present a clear and understandable message—a call to arms that network defenders can act upon.

SEM that Works
The best way to get immediate, out-of-the-box value from an SEM solution is by finding a system that delivers a core set of capabilities and that is able to accommodate your company's particular network and security environment. A tool that is easy to understand and scales as your company grows. And it does not hurt if it is cost effective, too.

	Log collection from heterogeneous devices—the capability to read, parse, normalize, and gather information from a variety of security devices from a host of vendors
	Centralized event detection—the capacity to detect events automatically and distinguish between events that matter and those that do not, freeing up staff members to focus on preventing the most important threats
	Threat prevention and remediation—the power to generate alerts and automated responses based upon certain security events, then record and track event data for post-threat investigation
	Report generation—the capability to provide reports that support post-threat investigation, regulatory compliance, and management's desire to gain an overall view of your company's security position
	Scalable, distributed architecture—the bandwidth to manage millions of logs per day, spread the processing load, and segregate functions like correlation, updates, and display to facilitate flexibility for individual components of the architecture

In addition to all these features, good SEM tools are quickly deployable and start providing full functionality right out-of-the-box as soon as network administrators plug them in. This is where many options fall short. Too frequently, SEM tools require months of customization. What's more, many SEM tools are complicated to learn and administer, and they require extensive tuning in order to work properly. With this in mind, the smartest way to roll out an SEM solution is to limit the initial scope of deployment, making sure the tool fulfills your organization's most critical requirements before customizing it any further.

SEM Best Practices
Beyond this out-of-the-box deployment strategy, it is important to remember that the very best SEM tools aggregate information from numerous security devices and vendors so that they can analyze and compare data from multiple points on the network. From here, the tools correlate entries and search log data for patterns that trigger preexisting event policies. Suspicious patterns might reveal unauthorized scans targeting vulnerable hosts, viruses, worms, denial of service attacks, network anomalies, or other host-based activity. Log data that exceeds the parameters for these types of patterns trigger predetermined, real-time responses.

Check Point solves the problem of security information overload with Eventia Analyzer, an SEM solution for correlating log data. The tool comes loaded with preexisting event policies for quick deployment and enables security administrators to develop new policies. It also enables administrators to generate alerts and automated responses based upon security events and record event data for post-threat investigation. In the area of compliance, Eventia Analyzer directly addresses key Sarbanes-Oxley, Gramm-Leach-Bliley, and HIPAA control requirements such as information and communication security, as well as management reporting. Most important, the tool helps cut through the cacophony of security log data to make your network more secure.

Download this article