Security event and information management appliances that were originally designed to help IT managers identify and deal with network threats are now finding new uses as regulatory compliance reporting tools within a growing number of companies.

The trend is being driven by the ability of such products to capture and correlate the torrents of log data generated by security devices, networking equipment, and database and application servers, IT managers and analysts said this week.

"A large percentage of the customers we're speaking with originally purchased these tools for aggregating and correlating security data," said Amrit Williams, an analyst at Gartner Inc. "Now they're telling us that they're using (the devices) for regulatory compliance."

For example, Calpine Corp., a San Jose-based power producer, purchased a security event management appliance from Network Intelligence Corp. in Westwood, Mass., to manage the log data generated by its firewalls. Calpine later connected its other security devices and its routers and switches to the appliance, said Sean Curry, the company's infrastructure engineering manager.

Then the company realised that the appliance could gather and normalize log information from its Windows and Unix application servers without requiring agents to be installed on those systems, Curry said. That has made it ideal for compliance reporting, he noted.

Calpine began using the appliance to collect information from the servers in January as part of an effort to streamline its Sarbanes-Oxley Act compliance efforts. Curry said the appliance now handles an average of 2,200 log items per second altogether.

Adding to its appeal are functions that let Calpine's internal auditors directly generate the reports they need without involving systems administrators. "We've been able to delegate the logs out of the systems administrator's control," Curry said.

Catholic Healthcare Partners, a large health care system based in Cincinnati, is deploying a similar device made by Intellitactics Inc. in Reston, Va., to manage log data from more than 2,000 servers spread across its 10 operating regions and two data centers.

"If I spent five minutes per day looking at the logs from each system, it would take me 20 man-days per day to look at everything. It was just too unreasonable," said Tim Harrison, information security officer at Catholic Healthcare.

But the Health Insurance Portability and Accountability Act mandates that companies demonstrate that they have the necessary controls in place for protecting sensitive data. Harrison said the Intellitactics appliance will eventually help Catholic Healthcare deal with roughly 100 million log items every day, including data gathered from all of the company's myriad security devices.

The appliance is expected to allow security teams and systems administrators to get detailed views of log information pertaining to their specific domains, he said. In addition, the company's auditors should be able to specify the kind of data they need to see for compliance purposes.

Two-pronged approach
Michael Gabriel, corporate IT security manager at Hoffman Estates, Ill.-based Career Education Corp., a US$1.73 billion provider of post-secondary education, said there are two aspects to auditing internal controls on end user access to systems and data.

"There's the part that deals with the collection of the data, and there's the part that deals with the mining of the data for useful information," Gabriel said. "If you aren't doing the first one right, the second doesn't matter."

Career Education is using a product from Edison, N.J-based NetForensics Inc. to collect about 6 million log items per day from its systems. The technology has "put us in a position where we can demonstrate we have all the needed controls," Gabriel said.

"The ability of these tools to centralize reporting capabilities is one of their chief values from an auditing and compliance standpoint," said Scott Crawford, an analyst at Enterprise Management Associates Inc. in Boulder, Colorado.

Gartner's Williams noted that the technology's support for collecting information from virtually any source has made it ideal for monitoring activity on sensitive systems such as accounting and human resources.

User demand sparks vendor changes
The increasing use of security event and information management appliances for regulatory compliance reporting is prompting some vendors to tweak their product development and marketing strategies.

This week, for instance, San Jose-based NetIQ Corp. announced compliance-oriented versions of its security event management products. Its Security Compliance Suite comes in two flavours and features a new log-management component and templates designed to help companies assess and report on their compliance with laws such as the Sarbanes-Oxley Act, HIPAA and the Gramm-Leach-Bliley Act.

In March, Network Intelligence upgraded its enVision security event management suite with a new compliance-reporting dashboard and functions for gathering log information from a wider set of sources, including IBM's older OS/390 mainframes and AS/400 systems and Web servers that run Microsoft Corp.'s Internet Information Services software.

Market forces are driving the changes, said Jim Melvin, vice president of marketing at Network Intelligence. The tools were once used purely for collecting information from firewalls and intrusion-detection systems to support IT security efforts, Melvin said. But over the past two quarters, demand from security users has been matched by interest from companies looking to use the products for compliance reporting, he said.

Pam Casale, vice president of product management at Intellitactics, said the company added features for automating log monitoring and reporting in April after it also started seeing increasing demand for such capabilities.

"It's changing the way we develop products," said Tom Foladare, senior director of business development at NetForensics. "Now we worry about asset groups and business processes and being able to take every server that is dealing with a SOX issue and put them into different groups."