Call for increased automation of security

28 Apr 2006

There is a growing need for businesses to use automated tools that can make sense of the volumes of information that security systems provide about an organisation’s network, a network specialist has warned.

Andrew O’Kelly, technical director of Lan Communications, a division of Eircom, said that the problem has been that until now it takes skilled staff to interpret the reams of data that devices on the network typically produce.

“Most customers have devices but are struggling with the huge amount of log activity that is generated,” said O’Kelly, warning about the danger of ‘alarm apathy’. “There could be lots of pertinent information but it could be somewhere among thousands or millions of logs per day. You need to look at unusual traffic which could be pointing to a probe on your network by an external third party.”

However, skilled staff are hard to find and retain and it is arguably not the best use of resources to have them poring over log files, O’Kelly said. “The best people you have are clearly going to be more interested in projects that use bleeding-edge technology rather than day-to-day operational management issues. It’s like trench warfare: you could be sitting there for weeks on end and nothing happens, then you have a hectic 10 minutes at the end of which you might be dead. Operational management issues such as security can be a bit like that.”

The advantage of automating the task of monitoring the logs more actively is that a company can become more aware of what its normal baseline network traffic should be. “What you want the automation to do is to put the knowledge in the hands of people who are maybe less skilled,” said O’Kelly. “It could potentially be a managed service, where the service provider has the skills and resources and reporting tools.”

According to O’Kelly there are several tools on the market that could fit the bill, such as Stealthwatch from Lancope, Cisco’s Mars product and Netflow, from the Irish firm Crannog Software.

One customer which is an early adopter of a monitoring tool was able to identify network activity which was not sinister but nonetheless showed that some people were acting in breach of company security policy, said Kelly. “It’s yielded significant benefits.”

The market for tools like this is set to grow, he added, as it is linked to the ever-expanding compliance culture. “With regulatory compliance, not only should you be on top of the security issues you have but you’ve got to be seen to be on top of the issues,’ he said.

With pressure coming on many companies to be audited some businesses will have to show that they acted on any network alerts they received. “Or you use tools or a managed service to minimise the pain,” added O’Kelly.

By Gordon Smith