How One Company Deals with Information Overload

A major midwest company used to have so much information coming off its firewalls and intrusion detection systems that IT couldn't possibly make sense of it. Here's how they fixed the problem...
With 68 firewalls and seven gigs a day of security reports to wade through, the senior network administrator of a $1.8 billion holding company was in over his head when it came to knowing what was happening on his network.

His firewall logs alone were stacked so deep that it easily took him eight hours to consolidate the information he needed after a single security incident.

''I'd have to dig through old logs and write my own queries and then examine the results,'' says Timothy Guy, senior network administrator for the midwest-based enterprise, which owns multiple manufacturing companies (and declined to be named in this story). ''It was extremely time-consuming. To look at one cross-section of 20 minutes of log files would take six hours to get a forensics statement. It's too late by then. You're always playing catch-up. What's happened in the next hours has already taken place so you're telling your bosses what happened and not what's happening. It's embarrassing.''

To better analyze the reams of information coming at him and to help stop network intrusions, Guy implemented security event management software from eIQnetworks, Inc., an Acton, Mass.-based security company. Enterprise Security Analyzer V2.1 scans the information coming in from Guy's firewalls and intrusion detection systems, looking for unusual patterns that might indicate a malware or hacker attack, or even a corporate user who is breaking the rules from the inside.

''If you don't know what's happening across your gateways, it's very dangerous,'' said Guy in an interview with Datamation. ''People can be coming in and doing things and you don't even know it. A firewall or intrusion detection device is only useful if you can get the information to a central location.

''You have technology that defends against attacks but unless you have the knowledge of when it's occurring, what's occurring and where it's coming from, it doesn't do you any good,'' he adds. ''We went from taking six hours to look for a security event down to under a couple minutes. It means we're able to be aware of what's happening. If you don't have the information, you can't do anything.''

And this major holding company isn't the only one turning to event management software.

Nick Selby, an enterprise security analyst with The 451 Group, Inc., an industry research firm based in New York City, says the market is 'exploding'. And he only sees it continuing to grow.

''There are a lot of products on the network gathering information and you need something to shove all of that information into a box so you can look at it meaningfully,'' says Selby, adding that eIQnetworks' solution is getting quite a bit of attention for being far cheaper than many of its competitors. ''Without a product like this, it's impossible if you're looking at a mid-size and up company... This specific technology is critical now.''

But consolidating an unwieldy amount of information isn't the only benefit -- not in a time of increased regulation.

''With regulations like Sarbanes-Oxley and HIPAA in place, there's the idea that you're going to have to show that you have technical controls,'' Selby notes. ''You can't just be in compliance. You've got to be able to prove it. But above that, it would be nice to actually be secure and not just compliant.''

And that combination of compliance needs and information consolidation has pushed 30 percent to 35 percent of large companies to buy into event management software, according to Jon Oltsik, a senior analyst with Enterprise Strategy Group, an analyst firm based in Milford, Mass.

''This is a relatively new technology space and people tend to deal with security in a tactical fashion,'' says Oltsik. ''People are transitioning to take a bigger look at security. There's pretty convincing evidence that shows that a tactical approach to security doesn't work. There are more threats. There are more attack vectors. The attacks are getting nastier.''

Both Oltsik and Selby note that eIQnetworks has a lot of competition in the event management space. ArcSight, Inc. based in Cupertino, Calif., is considered to be the market leader, according to Selby. And netForensics, Inc., based in Edison, N.J., along with NetIQ Corp. in San Jose, Calif., also are big players in this area.

Selby says what has been setting eIQnetworks apart is its competitive pricing model. And that's very attractive for mid-size to large companies trying to get a handle on a flood of security information, while also trying to get that overall view of what is trying to poke holes in their network protections.

A Forensic Tool

Part of that bigger picture view at the holding company was being able to see what was happening on the insider of the perimeter.

Guy says he needed the ability to quickly find out what happened in a certain part of the network between 10 a.m. and 10:15 a.m. But getting at that information -- without a pitchfork and a lot of time on his hands -- was never easy.

''When Enterprise Security Analyzer came out with their forensic tool, it allowed us to go back and ask a very specific question,'' says Guy, who adds that they do a forensic search once or twice a week. ''You would not believe what some of our users pull... We catch them going to Websites that have not yet been blocked by the filters. We usually catch them going to porn sites.

''By the nature of the source address, you can see what sites they went to, what time and how long they were on it. From there, we turn it over to human resources because we have that forensic report [to back us up],'' he adds. ''The person who finds that stuff had better be able to defend it in court.''

And while a majority of the attacks come from the inside, Guy says the event management tool also helps him spot malware attacks -- even before the anti-virus vendors send out new signatures.

''eIQnetworks doesn't save us from worm attacks but it does allow us to see where the attacks are coming from,'' he says, noting that the Enterprise Security Analyzer helped him stop a worm attack in its tracks this past fall. ''We were able to see that we had an increased amount of traffic on a certain port. We adjusted our intrusion detection system to pick up the signature and then based on the reports, we were able to shut the port down [in time]. Having that information allowed us to make a great decision hours ahead of everyone else.''

If the worm had gotten through and infected Guy's global system, he might have been looking at sending out IT workers to clean up the company's 5,800 computers scattered around the world. ''There's no way to put a dollar amount on it,'' he says.

Staying Compliant and Proving It

Another type of protection is historical protection, according to the Enterprise Strategy Group's Oltsik.

By automating firewall and IDS logs, it's easier to stay compliant with new stringent regulations, like Sarbanes-Oxley. ''Automating it is more efficient,'' he adds. ''You also have to store that data for long periods of time in case you need it.''

And Guy says they definitely need the report data that the Enterprise Security Analyzer supplies ever week.

''If you say that you log a firewall and all the activity on it, the next question out of the auditor's mouth is 'Can you produce reports and can you produce stats on when you check the logs?','' Guy points out. ''Every Sunday, it sends out a Sarbanes-Oxley report to key managers informing them who the largest abusers of the internal network are -- the biggest Web surfer, who's getting denied going to Websites they shouldn't be visiting. With 68 firewalls, the report runs from 6 in the morning until about 6 or 7 at night. Two- or three-page reports go to each manager and there's their Sarbanes-Oxley report.

''It keeps us out of legal trouble because every week I can inform the managers about what's happening.''

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.