Train the mind,mind the train.

[Matthew X]

Federal agencies are deploying an increasing number of commercial tools 
from companies such as ArcSight, CyberWolf Technologies Inc., e-Security 
Inc., GuardedNet and Micromuse Inc., to name a few. The FAA deploys an 
integrated set of security tools that include event management and 
intrusion detection. Officials would not name the vendor for security 
reasons.(A Cpunk challenge.)
However, for more advanced correlation and data reduction capabilities, the 
FAA turned to the academic community, funding researchers at the 
Massachusetts Institute of Technology to develop an event correlation system.
The FAA chose MIT because the agency didn't want a proprietary system and 
instead opted for one that was open and supported international standards, 
Brown said. Also, the FAA wanted to develop a system that could be shared 
with other federal agencies.
The FAA is integrating the system into its data warehousing framework, 
which uses neural technology to extract data. The system also passively 
scans the network for unusual activity and can detect if new network 
equipment, such as routers or servers, comes online.
Officials have already seen results from their tests of the system. 
Previously, IT operators reviewed event logs that were six to 10 hours old. 
The new system has reduced that lag time from hours to minutes, said Tom 
O'Keefe, deputy director of information systems security at the FAA.
Labor Department officials also have seen a reduction in the time it takes 
IT operators to access and analyze data by adopting event management 
systems, according to Laura Callahan, deputy chief information officer at 
Labor.
Callahan declined to identify the products the department uses for security 
reasons, but she said IT operators at the agency are familiar with products 
from SilentRunner Inc., a Raytheon company, and Network Intelligence Corp. 
"We are challenged in trying to sift through volumes of information to do 
trend analysis," she said.
Callahan also praised the tools' forensic capabilities, which enable IT 
operators to play back events for investigative purposes.
Besides deploying event management tools to battle the problem of data 
overload, the department is moving to a common security architecture. This 
means that each division within a line of business will adhere to the same 
standards and security technology, eliminating the need for multiple 
management consoles to monitor disparate products in each business unit.
Not a Panacea
There is a definite need for security event management tools in federal 
agencies, but "tools are not a panacea," said Thomas Gluzinski, president 
and chief executive officer of Paladin Technologies Inc., a provider of 
security services to the federal government.
Many of these tools are in their first generation, and some are complex and 
hard to use by someone lacking in-depth security knowledge. Others are easy 
to use but still require experts to analyze the data and take appropriate 
action, he said.
"And security event management products are computers, too," FedCIRC's Hale 
pointed out, so they are open to attacks or exploitation by hackers.
According to John Pescatore, a research director at Gartner Inc., a 
security event management system needs four key features:
n The tool must monitor events in real time and pull that information into 
a central location.
n It must filter data and present it in meaningful reports.
n It should have a discovery engine that can identify all the devices on a 
network. Most current products lack this feature.
n It must be able to control the security devices. For instance, the 
product must have the capability to change settings on a firewall in the 
event of an attack or work in conjunction with an intrusion-detection 
system to automatically block an attack.
The better products in the future will have some type of neural network 
capability that will enable them to identify and fix problems, Gluzinski 
said. Some intrusion-detection systems, such as Internet Security Systems 
Inc.'s RealSecure, can interact with firewalls from Checkpoint Systems Inc. 
to fix a rule set and solve a problem in the event of an attack.
However, if the intrusion-detection system is not configured properly and 
is not privy to internal business operations, it could introduce a new 
problem by making a fix. The same is true for security event management 
systems, Gluzinski said, which only emphasizes the need for skilled network 
engineers.
But as more network-based intrusion-detection systems move from merely 
issuing alarms to employing more highly advanced techniques — blocking 
attacks in the way that antivirus software stops the spread of computer 
viruses — there might not be a need for security event management systems, 
Gartner's Pescatore said.
There are two reasons for an organization to deploy security event 
management tools, according to Pescatore. Large organizations with several 
hundred firewalls spread across a global network would need to manage the 
output from those firewalls, and organizations deploying hundreds of 
network-based intrusion-detection sensors should deploy an event management 
system to reduce the false alarms generated by the sensors.
Unless an organization has made a huge investment in intrusion detection, 
Gartner researchers recommend holding off on purchasing such systems 
because more advanced tools will be released in about two years.
Others disagree. Intrusion detection "is where the pain is," but security 
event managers are also collecting data from firewalls and antivirus 
software, said Juanita Koilpillai, chairman and co-founder of CyberWolf 
Technologies, formerly Mountain Wave. The Federal Emergency Management 
Agency now uses the company's product, which automates analysis of data in 
real time. Symantec Corp. acquired the Falls Church, Va.-based company last 
month.
"It's more than an intrusion-detection issue," Callahan agreed. It's also 
an issue of tracking who's accessing intellectual capital and the 
applications and data associated with those assets. Intrusion-detection 
systems can "tell you that a person is coming through the door, but not all 
the rooms he's accessed." Security event management tools have the 
potential to help administrators sort through this information without 
manually analyzing each individual log file, she said.
Meanwhile, other efforts are under way to advance the field of event 
correlation. For instance, the CERT Coordination Center, located at 
Carnegie Mellon University, is conducting advance research on developing a 
common output language for various security systems, said FedCIRC's Hale.
And at the SANS Institute, a Bethesda, Md.-based training and education 
organization for IT security professionals, officials are working with 
several vendors to determine the market leaders. They will then decide what 
type of training is needed for security professionals to properly use the 
products, said Stephen Northcutt, director of training at the institute.
"I'm optimistic about the maturity of security event management solutions," 
Callahan said. As experts refine their efforts to aggregate clusters of 
data and as vendors develop algorithms for detecting attacks, there should 
be "a more integrated common view across firewalls, systems, phones and 
wireless" technology.
***
What is event correlation?
Event correlation is the process of comparing data from multiple sources to 
identify attacks, intrusions or misuse.
Before data can be correlated, it must be removed from individual security 
devices and sent to a consolidation point where it is pulled from disparate 
log files, compressed and prepared for placement into a database.
After data is clustered, the security event management system can begin 
data correlation. Because an attack usually touches many points in a 
network, leaving a trail, a security analyst can possibly prevent or detect 
an attack if he or she follows that train.