Page 555 - Handbook of Modern Telecommunications
P. 555
4-86 CRC Handbook of Modern Telecommunications, Second Edition
• Security platform deployment and ensuring secure communications between partners
• Streamlining services for partners
• Streamlining management and administration for partners
• Unifying and simplifying metrics for all IT-related functions
• Supervising service-level management, including SLAs
• Professional partnership relationship management
• Professional contract management
• Professional collaboration management
• Ensuring the high quality of services to all partners
• Leading business process automation
• Arbitration if disputes
• Defining a collaborative data retention strategy
4.5.2.3 Security Frameworks of Governance
Service providers rely on a variety of security products including firewalls, intrusion detection sys-
tems, vulnerability assessment tools, antivirus applications, Web applications, operating systems, and
networking devices, to monitor, investigate, and report on the many types of security issues that are
experienced each day. Typically, these devices come from many vendors, as organizations seek best-
of-breed products. But because each device type and vendor has its own message, log, and console
format, as the security infrastructure is built out, it becomes increasingly difficult to understand,
interpret and correlate the output of individual or even groups of devices and get a complete picture
about threat profiles.
To obtain maximum value from these heterogeneous devices, they must be assembled into a frame-
work that provides the necessary intelligence and tools to deal with a very large number of messages,
events, alarms, and alerts per day. Security management frameworks provide a consolidated component
set that collects security data from the network, puts it in a common format, stores it in a database, and
executes a range of analysis, display, response, and reporting tasks.
A security management framework consists of software agents, server-based managers, and consoles.
Agents can be deployed on the security devices, network devices, and applications that report security
events at aggregation points or as listening posts for SNMP broadcast. The agents forward the data
to server-based managers that consolidate, filter, and cross-correlate the events, using a rules engine
and a central database. These managers report relevant information to consoles, where security experts
monitor events, receive notifications, and perform incident investigation and response management.
Consoles are available as applications for dedicated workstations or via a browser-based interface for
remote access.
Real-time correlation is the key element in an effective security management framework, because it
automatically examines and analyzes millions of events per day. It works by reading the original event,
alarm, or alert, parsing it for its individual fields, and putting those fields into a common format, or
schema. These messages, which are being forwarded by the collection component, are then assigned to a
proper priority level; real-time correlation assigns them by combining the threats that the firewall intru-
sion detection system identifies with information about the targets, or assets. The correlation system
contains a rule set that scores the threats according to the answers to the following questions:
• What else has occurred?
• Is the asset vulnerable?
• How valuable is the asset?
Because the point of all this is to take the right action at the right time, service providers can set up
policies to govern automated responses and responses acted on by subject matter experts. These rules
may separate lawful intercepts related to events, alarms, and alerts together and assign the highest prior-
ity to them. In other words, assets with lawful intercept functions will get the highest value.
