Share

Could techniques like those developed for business intelligence (BI) applications, analysing huge quantities of commercial data to uncover hidden trends and relationships, also be applied to security and systems management data flows?

Certainly, says Ulrich Weigel, the director of security products at NetIQ, now part of the Attachmate empire but still developing software to help people manage their IT systems.

The problem, he argues, is that most times, there is lots of data available, but it all exists in different systems and as a result it relies on fallible and over-worked humans to pull it together and spot the relationships.

The answer, he says is to converge your security and systems management. "For example, the Sasser virus pushed up CPU usage, it took networks down, it was a problem for VoIP and so on," he adds. "Correlating all that information would have shown what was going on."

Part of that is security event (or information) management. SEM (or SIM, depending on who you talk to) is designed to do pull together the data coming from an organisation's security devices - firewalls, IDS, IPS, VPNs and so on - and convert it all into a common format for analysis and reporting.

Security is just a start, though, Weigel says: "We try to take all of an enterprise's systems, put them together and report on that, so that includes change and configuration management and SEM.

"The key factor is building the intelligence to filter it all. For example, if you want to detect a hacker copying data, it is very difficult with an IDS or IPS. The only route is to correlate the server log files across systems and look for anomalies."

The filtering and analysis is where those techniques developed on the business side come in, he adds.

"We also use the OLAP cube concept and do predictive management - it is applying BI tools to security and systems data. All the information you need is hidden in your log files, but that's terabytes these days. Log files are a ridiculous amount of data, so you have to have an automated solution to go through them."

Weigel says that NetIQ - which is far from being the only company working in this area - came into it from the configuration, audit and alerting point of view. Its technology evolved and regulatory compliance came along, and all of a sudden security management jumped towards the top of business priority lists.

He adds that while IT managers take compliance and security seriously, a survey by NetIQ earlier this year suggested that most of them think that their board-level superiors are merely paying lip-service to it - and he says that BI-type tools could help here.

"IT tends to talk about the technical aspects of security, but the business manager needs to understand the risk they're running," he says. "That gets you into predictive management, and while most companies do that for systems management, very few do it from the security point of view."

He suggests that IT managers need to learn how to explain the security risks in financial and business terms, so they can explain that "the cost [of security] is ridiculously small compared to the cost of a breach."

They also have to bring the way their departments work into line with other parts of the business, he says, for example by acquiring management and reporting tools that "connect people to processes" by turning IT activities into workflows. Not surprisingly, NetIQ sells exactly that, in the shape of its Vigilant Policy Centre.

"Systems management traditionally has well-defined workflows," he says. "The challenge is making sure those are followed and are auditable."