Vericept

Jan 5 2008   7:40PM GMT

Digging into the DCAB 6 functional areas: Security and Protection

Posted by: Ryan Shopp
DataCenter, Reconnex, NetForensics, LogLogic, ArcSight, EMC, Ecora, Skybox Security, Tripwire, nCircle, Vericept, Configuresoft, HP Software, IBM Tivoli, Symantec

The massive number of security management vendors make simply covering this portion of the DCAB a very intimidating task. So many technology approaches and different data center technology focuses (e.g., networks vs. system vs. applications etc). I’ve attempted a first pass at sub-dividing this functional area. I know that do to it’s vastness, I’m going to miss tons of vendors I already know about and also stretch the categories a little in my attempt to limit the number of sub-divisions.

Proactive Identification (proactive searching for a potential exposure point that could become a situation) which includes:

• IP Scanning - query remotely that simply requires IP address to gather information and determine if their is a potential condition of concern. Vendors include: eEye, nCircle, Nessus, Qualys, McAfee, Rapid7
• Configuration/Settings Auditing - query remotely (using credentials) or having an agent on the system to take a more details look at the configuration files, etc. Vendors include: ConfigureSoft, Ecora, nCircle, Tripwire, Solidcore, Skybox Security
• Penetration Testing - remote query attempts to actually expose or harm a data center resource. Vendor include: Core Security, HP (former Spi Dynamics), IBM (former Watchfire), Imperva, Mu Security, BreakingPoint Systems

Reactive Identification (reactive, collecting of events or watching data flows to identify a condition or re-occuring trend)

• Security Event Consolidation (aka. SEM) - unified view of events from a variety of sources with the hope that you can quickly identify a problem and resolve it sooner after it occurred, or seeing something that tells you that problem may be about to happen. Vendors include: ArcSight, NetForensics, EMC/RSA
• Information Archival & Reporting (aka. SIM) - archiving and then the analysis and mining of all that event data to identify a re-occurring situation that could be resolved. This archive is also a great resource for reporting certain compliance situation to auditors. Vendors include: ArcSight, NetForensics, LogLogic
• Data Leakage - monitoring activities or traffic flows to identify if sensitive information is being . Vendors include: EMC/RSA (Tablus), Reconnex, Symantec (Vontu), Vericept

Alright, that will have to do for now. Identity & Access Management is a whole other area but this will have to do for now. Wow, I’m really starting to realize that this DCAB was biting off more then I could honestly chew Hopefully, it will prove helpful to someone out there. When I do start to make updates the best way to manage that may be moving this to a wiki.

Quick status check, I’ve now taken a first pass on 4 of the 6 functional areas (and most of them require/deserve a return visit sometime soon). Each functional area alone probably could/would be topic enough for an individual blogger (any volunteers). I’ve also had some great recent conversations with people on virtualization, process orchestration and resource reconciliation that i’m eager to talk about. So as I’ve stated before, comments are open for anyone and everyone to add thoughts and commentary. Which vendors did I miss, what capabilities/functions did I miss as we monitor the security in our data center.