Policy Integration
One of the more interesting features that SIM vendors have been adding is the integration of policies into their products.
Most of the SIM vendors have been integrating technical policies into the product to provide rapid response to network attacks. For example, the SIM product detects an attack and sends a policy update request to a device or application in order to block or mitigate the risk. This all happens in real time.
A recent integration example is between Guardednet and Solsoft.
I think there’s more that we can do with the integration. A Quantitative Study of Firewall Configuration Errors, which I found via a blog by Martin McKeay, showed that the more complex the rule set, the more errors there are.
One of the things we can do is utilize the log data generated by the devices to verify that the technical policies don’t have any security issues. For example, if a firewall policy accidentally (or someone deliberately) allowed incoming telnet connections, upon detecting such connection within the logs, a SIM product can identify the device that has the problem make recommendations to correct the error.
Taking an extra step, a SIM product can even integrate with a business policy product to further verify the technical policies conform to the business policies.
In order to provide additional operational intelligence, log analysis products need to expand their capabilities. Policy integration is just one step towards that goal.
Disclaimer: This is my personal blog. The opinions expressed in this blog are the views of the writer and do not necessarily reflect the views and opinions of VMware.