Erik Hart calls it his "Google" for the IT infrastructure at Cole Taylor Bank in Chicago. Each morning when the information security officer logs into his network, a security information and event management (SIEM) application compiles a graphical run-down of what's happening around the bank's 12 servers.
From this, Hart can see where system administrators currently troll around. He can count the failed user log-ins and possible hack attempts that have occurred. He can detail what devices are being used, and if malware alerts are streaming in, he can find who has been or could be infected by the virus-and which poor sap's e-mail unleashed it. "I don't have to be a SQL and technical guru," says Hart, whose 11-branch, $3.5 billion-asset bank deploys an EnVision security event management appliance from Network Intelligence of Westwood, MA. Entering a subject header, name or other identifiable piece of information, Hart can look through his exchange logs in a matter of seconds, "and it will show me every single person who's received that email."
Originally developed in the '90s to merely record network log events for system analysis, security event and security information systems are evolving to handle a host of new defensive and operational applications. Their primary use in security helps banks decipher potential threats that can't be discerned by siloed protections, such as when a failed log-in on a UNIX server doesn't link to a Windows-based log-in failure in another department. SIEM systems are now fast becoming a de facto compliance need and efficiency tool for banks stepping up network policy enforcement, locking down application production rules and even improving business intelligence.
Network Intelligence, for instance, has an unidentified financial services customer that is gathering source-event data from 17 regional centers to support a new enterprise hub of security operations-an otherwise Herculean task through a relational database to collate disparate data from Windows, Unix/Linux and mainframe origins, according to Jim Melvin, svp of marketing and product development for Network Intelligence.
"We see a lot of customers using that for business process optimization in terms of understanding workflow and capacity utilization across devices," says Melvin. "We see that as a common use of the technology." A recent survey announced by the company at a user conference showed that 53 percent of NI clients have expanded their use of the product for business intelligence-such as analyzing the capabilities of in-house applications.
Analysts and security vendors say the evolution is a natural progression of SIEM market from device management-such as servers, routers, network devices and laptops-to application and operations management, and is gaining traction in the sector. In a recent report, Gartner pegged the security event/security information spending market for financial services and other industries at $288 million in 2005, a 32.2 percent rise from the year before.
Compliance remains the key driver for bank adoption, as auditors are demanding more automated monitoring, says Gartner analyst Mark Nicolett. "It's replaced the threat-management use case as the most common reason that budget dollars are available," says Nicolett.
SIEM is a way for institutions to meet their Sarbanes-Oxley and Gramm-Leach-Bliley security requirements, which call for the collection and reporting of log events. SIEM solutions don't replace security systems already on board, but can sniff out discrepancies not apparent at the departmental level. Toby Weiss, svp of product management and marketing for eTrust solutions, at CA recounts a customer who complained their new SIEM solution wasn't working: their usual five or six alerts a day had suddenly mushroomed to more than 35 after deployment. "When we drilled into it, it turned out there really were 35 and the rest had been going unnoticed."
Going unnoticed is easy, says Cole Taylor's Hart, given that manually examining 70-meg ASCII files documenting seven to 10 million daily events is all but physically impossible, and provides no actionable analysis.
While Cole Taylor's solution from Network Intelligence is a direct-buy appliance, the SIEM market has a variety of offerings. In a Gartner survey of the sector, the research firm delineated seven variations of standalone event/information management services as well as solutions integrated with identity and access management products, which Gartner says is a core strategy of CA, IBM and Novell.
Some companies also develop market niches, such as TriGeo Network Security's specialty in mid-sized clients, including the Chicago Stock Exchange. The field is also a crowded one, with Gartner tracking 19 firms that compete across industries, mounting speculation that recent consolidation efforts, such as Novell's acquisition of e-Security, will continue.
