Enterprises look for help managing security logs

Managed security services have been growing in popularity over the past several years, and the latest task enterprises are looking to offload to an outside provider is security information management.

SIM equipment can centralize event and log management information from security devices and computers, but the drawbacks to its use include up-front costs, complex installations and hiring the expertise to manage it. Increasingly, another way to get the benefits of SIM is through a managed service, a trend that Gartner says is really starting to roll.

SIM as a managed service only started to gain momentum within the past two years, largely due to compliance mandates such as the Payment Card Industry (PCI) data security requirements, says Gartner analyst Kelly Kavanagh. (SIM is sometimes referred to as security information and event management, or SIEM.)

Managed SIM options range from as simple as centralizing log collection and reporting, to as complex as event correlation and round-the-clock security-event monitoring. Though Gartner is only now starting to build an estimate of market size -- it's probably less that $US100 million today -- players that offer SIM as a managed service are said to include SecureWorks, Tata, IBM, AT&T, BT, Verizon Business, Symantec and Trustwave, among others.

With SIM as a managed service, "they're really talking about managing the log infrastructure for the company, taking the logs for a compliance regimen," Kavanagh says. Occasionally SIM as a managed service will entail "complex correlation, perhaps related to network alerts from firewalls and switches, information that may seem to be related," he notes, and a service might provide an analyst to monitor events round the clock.

Businesses that bet on managed SIM services say they are finding it can be a cost-effective way to quickly get the benefits of SIM without the up-front cost of equipment.

"We looked at doing it in-house, but for us, it didn't make sense," says Cameron Pumphrey, director of IT at restaurant chain Fuddruckers. The company directly manages IT for more than 100 of its corporate restaurants, plus keeps track of PCI-related compliance matters for about 160 franchises which operate more independently.

Not only did the up-front costs of doing it in-house seem high -- SIM equipment can easily reach into the half-million dollar range -- but also Fuddruckers realized it would have to hire SIM experts to make it all work.

Largely based on information gleaned from conversations with peers, just over a year ago Pumphrey decided to try SIM as a managed service, selecting Trustwave to monitor about 500 log files at least once daily on behalf of Fuddruckers, triggering an alarm if suspicious events arise.

"Trustwave has a box we put in here," Pumphrey says, and logs are centralized and sent to Trustwave's data center via secure connections. Fuddruckers had to ensure its restaurants have sufficient bandwidth to support SIM as a service. But so far, it's worked well for PCI compliance purposes -- with Fuddruckers assuming a monthly cost based on numbers of software agents deployed as collectors.

Page Break

"We see ourselves as a managed alternative to what customers might want to do themselves with ArcSight or Q1 Labs," says Dan Schleifer, senior product manager for managed security services at Trustwave, referring to two well-known SIM product vendors.

But Trustwave has essentially written its own SIM code, offering three basic tiers of service: a hosted SIM with automated alerting and processing; a daily analysis of what happened that day, with written reports; and real-time analysis of events, with "eyes on the screen."

Schleifer says for two years, SIM-as-a-service was merely a small "pocket area" for Trustwave, but is now "its fastest-growing managed service." One main driver is certainly rule No.10 in the PCI Data Security Standard, which requires not only log collection but also "a minimum once a day, you review those logs," he points out.

Some SIM managed service providers build their offerings based on SIM products from equipment vendors. That's the approach that service provider FishNet is taking, according to CEO Gary Fish.

"The service is built around the RSA EnVision and Q1 Labs," says Fish. The customer typically pays about $US220,000 per year, largely based on the numbers of events recorded per second, though there may be other fees, too.

SIM-as-a-service is still a very small part of what FishNet does, but half a dozen customers, including St. Louis-based Arch Coal, the second largest U.S. coal producer, have signed up for SIM as a managed service. Tom Turner, vice president of marketing and sales at Q1 Labs, says it's comfortable partnering with a managed service provider such as FishNet, viewing the relationship "as potentially offering us a broader market."

SecureWorks is regarded by Gartner as a "pure play" SIM managed service provider, as opposed to a global service provider that offers SIM among a wider menu of services. The security firm is a veteran in the business, having started about a decade ago.

Rick Talford, vice president of product management at the Atlanta-based security services provider, says its charges are based on per-device per-month fees, which vary from $US25 per server to a few hundred dollars for a large firewall. SecureWorks supplies a "listener" appliance for the customer premise to aggregate information and transmit it to the SecureWorks security operations center.

The customer can use a Web-based portal for reporting and periodic reviews, and some customers want real-time visibility into threats and events and full-blown monitoring. About 2,600 separate businesses use these SIM services. Roughly 60% are from the financial industry, with the remainder from healthcare, retail and government industries, according to SecureWorks.