“Must Haves” for Successful
Security Management

Show no weakness

Enterprise IT infrastructures today are exposed to a wide range of attacks. As a consequence, implementing comprehensive, centralized security management for all critical components has become a top-priority task. This article examines the most important security issues and their technical implementation and provides some orientation for implementing an effective security strategy.

In the last ten years, the risks for enterprise security have grown steadily and new types of attacks have appeared. These are often combinations of viruses, Trojans or other malware from a wide range of anonymous sources. At the same time, enterprise networks are growing ever more complex. A large number of servers are dedicated to a variety of tasks, while virtualization combines multiple systems into one – and compliance with legal requirements must simultaneously be assured. All these demands have made it increasingly difficult to protect IT environments.

An integrated IT security management solution offers significant advantages here by providing broad-based coverage of both technical and organizational requirements while at the same time meeting the needs of enterprise management.

Centralized security management makes sense from a purely technical perspective, because it realizes a reliable security infrastructure while improving both system auditing and the response to security incidents. Centralization also enhances the interoperability of security components, thus enabling analysis and a uniform view of the entire security infrastructure. From the management perspective, this approach realizes a single point of control. It improves control over the systems, reduces the workload and simplifies the analysis of the incidents that occur. The areas of responsibility can be clearly defined and assigned. This prevents overlaps and uncoordinated instructions from multiple departments, which increases employee efficiency.

Security management “must haves”

The NetIQ Security Manager provides an integrated solution for heterogeneous and cross-platform environments. It unifies security information management, correlation, incident response and log management, enabling detailed trend analyses and reporting in a single solution. Furthermore, NetIQ Security Manager centralizes the registration, tracking, analysis and reporting of security information.

The “must haves” that are essential for system security are examined in the following.

1. What constitutes a reliable security architecture?

A stable, reliable IT security infrastructure is characterised by careful planning and implementation and accurate monitoring. It is supported by enterprise guidelines, enables centralized management and provides a comprehensive solution for system threats, weak points and poor configurations.

One important component here is risk management. This process enables the responsible security managers to define which threats and which data must be covered by the security solution in order to ensure adequate protection without excessive costs. Auditing and monitoring enable analysis of the entire system, so that problem areas can be defined and accessed on an enterprise-wide basis. The phased implementation and maintenance of a security strategy helps to prevent potential chaos due to overlaps, updates, diverging management requirements or compatibility issues.

2. Centralized security alerts

The response to incidents such as an attempted break-in or other security incident is a further important factor. This includes notification, logging and initiating countermeasures to defend against security incidents. The identification and response to security incidents define the total exposure time, the timeframe in which systems are exposed to a security threat. This exposure window must be kept as small as possible. Integrated security management using a security information and event management (SIEM) infrastructure makes it possible to reduce the information flood by ensuring that only real threats are responded to. At the same time, it offers mechanisms for reducing security incidents and accelerating responses.

3. Information for incident response and restoration

Log files are fundamental audit trails for security systems that make it possible to identify trends. They are generated by operating systems, databases, routers and security solutions and contain large quantities of relevant data that make automatic analysis essential. They additionally present an overall view of the security environment. The log files are filtered and reduced to a reasonable, manageable size, so that the administrator can recognize and respond to the problems that need to be solved. The data, which originate from multiple sources, must also be converted into a uniform format and a common syntax. This is the essential prerequisite that enables automatic analysis of this information. This analysis is essential for obtaining an adequate picture of security incidents over time and identifying the patterns of weak points and unprotected areas.

Restoring systems is also of critical importance in maintaining an effective security system. This aspect demands an accurate assessment of the threat and the development of a response to it. Security must be reviewed on a regular basis to determine whether new factors have arisen. SIEM solutions provide the unified view of the infrastructure necessary for obtaining this information for incident response.

4. Continuous testing and review of the security infrastructure

Regular testing and review of the security structure are important tasks for assuring efficient operation even after changes in the environment. The security management system should be able to supply comprehensible information to support these tasks. Integration features must be tested to verify that they collect the right data and that every possible data combination generates a correct result. Another reason for testing is compliance monitoring, i.e. to ensure that an adequate audit trail exists and that legal requirements are complied with.

The centralized monitoring of the security infrastructure must be based on policies that, above all, regulate the activities of employees. Centralized systems support the framing of policies because they supply the analysis of the security needs and weak points which the policy guidelines are to address. But policies and procedures are only of use when the employees actually follow them. Training seminars are thus essential to develop security-consciousness and to ensure that all employees understand the specific guidelines. Fully functional SIEM systems also monitor observance of policies and can reduce the need for training because they provide a unified system for accessing security information across the entire enterprise.

5. Automatic updates

A further essential aspect is the definition of guidelines and procedures for updating systems and components. This process should be automated and conducted on a regular basis. The key factor here is to track the status of the components and their updates. The deployed solution should thus enable asset monitoring, patch level reporting, auditing of changes and mechanisms for automation.

An integrated security solution also requires an organizational structure with clearly defined roles and responsibilities. The know-how of the employees should be matched to the tasks and specialized knowledge of the entire IT environment as well as specific security requirements. In many enterprises, the responsibility for security management is distributed throughout the organization. To improve efficiency and understanding, roles and responsibilities should be reviewed, reconsidered and redefined where appropriate.

Today’s market for security management includes a variety of product types. One of the “entry level” offerings in this market is security event management (SEM). This offers basic monitoring and enables a response to the current state of the security infrastructure and to immediate threats. Security information management (SIM), on the other hand, collects, normalizes and stores information from log files, provides monitoring of changes and enables detailed analyses of event histories.

Finally, security information and event management (SIEM) unites these two types and provides a unified solution for handling immediate threats as well as for detailed analysis and security planning. A solution of this type requires the interaction of various products, centralized log files and the integration of all security information in a single framework.

The NetIQ Security Manager provides a comprehensive, centralized SIEM system for heterogeneous, cross-platform environments. The software offers real-time functions for detecting changes and monitoring activities. The NetIQ Security Manager combines SIM with correlation, incident analysis with response management, log management with archiving and with highly developed forensic functionalities. The Security Manager centralizes collection, display, analysis, archiving and reporting of security information to minimise the total exposure time. It also protects intellectual property through proactive detection of unauthorized activities. The solution unites the logical functions of real-time monitoring of incidents with long-term storage of log files to ensure reliable security management.