Security Information Management Systems: Solution, or Part of the Problem?

Bruce Schneier
IEEE Security & Privacy
September/October 2004

Acrobat version

We in the computer security industry are guilty of over-hyping and under-delivering. Again and again, we tell customers that they need to buy this or that product in order to be secure. Again and again, customers buy the products and are still not secure.

Firewalls didn't keep out network attackers, and ignored the fact that the notion of "perimeter" is severely flawed. Intrusion detection systems didn't keep networks safe, and worms and viruses do considerable damage despite the prevalence of anti-virus products. Intrusion prevention systems are being hyped as the new solution, but we all know that they won't prevent intrusions.

The problem isn't with the products. In theory, most of them work just fine. The problem is that they're rarely installed and maintained properly, and that the overall risks are much larger than the small subsets the products solve.

It's in this context that I want to evaluate Security Information Management Systems, or SIMS. SIMS promise to solve a very serious network security problem: the problem of log analysis.

Computer logs are a goldmine of security information. Not just IDS alerts, but log messages from firewalls, servers, applications, and other network devices. Every day your network produces megabytes of these logs, and hidden amongst them are footprints of attack. The trick is finding them, and reacting to them fast enough.

If you've brought in a forensics team to clean up after an attack, you know how this works, because what that team does is analyze the log messages and figure out what the attacker did: how he broke in, what he accessed, what back doors he added, etc. The idea behind log analysis is that if you can read the log messages in real time, you can figure out what the attacker is doing. And if you can respond fast enough, you can kick him out before he does damage. It's security detection and response. It's really smart. Log analysis works, whether you use a SIMS or not.

Even better, it works against a wide variety of risks. Unlike point solutions, security monitoring is general. Log analysis can detect attackers regardless of their tactics.

But SIMS don't live up to the promise, because they're missing the same essential ingredient that so many other computer security products lack: human intelligence. Firewalls often fail because they're configured and maintained improperly. IDSs are often useless because there's no one to respond to their alerts, and no one to separate the real attacks from the false alarms. SIMS have the same problem: unless there's a human expert sitting in front of them, they're not defending anybody. The tools are only as good as the people using them.

SIMS require vigilance: attacks can happen at any time of the day and any day of the year. Staffing for security expertise 24 hours a day and 365 days a year requires five full-time employees; more, if you include supervisors and backup personnel with more specialized skills. Even if an organization could find the budget for all of these people, it would be very difficult to hire them in today's job market. And attacks against a single organization don't happen often enough to keep a team of this caliber engaged and interested.

Back in 1999, I started a company called Counterpane Information Security, Inc. We sell a service that came to be called Managed Security Monitoring. The idea is that we would have trained security analysts monitoring IDS alerts and log messages. Because of both the information they received from the network--in real time--and their training and expertise, they would be able to detect attacks in progress and provide customers with a level of security they were incapable of achieving otherwise.

When building the Counterpane monitoring service, we looked at log monitoring appliances from companies like Intellitactics and e-Security. Back then, they weren't anywhere near good enough for us to use, so we developed our own proprietary system. And today, because of the caliber of the human analysts who use the Counterpane system, it's much better than any commercial SIMS. We were able to design it with our expert detection-and-response analysts in mind, and not the general sysadmin market.

That sums up both the benefit and the challenges for SIMS. The key to network security is people, not products. Piling more security products onto your network won't help. And you can't afford the people. This is why I believe that eventually network security will be outsourced--all of it. There's no other cost-effective way to reliably get security.

earlier essay: Saluting the data encryption legacy
later essay: The Non-Security of Secrecy
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..