With 68 firewalls and seven gigs a day of security reports to wade
through, the senior network administrator of a $1.8 billion holding
company was in over his head when it came to knowing what was happening
on his network.
His firewall logs alone were stacked so deep that it easily took him
eight hours to consolidate the information he needed after a single
security incident.
”I’d have to dig through old logs and write my own queries and then
examine the results,” says Timothy Guy, senior network administrator for
the midwest-based enterprise, which owns multiple manufacturing
companies (and declined to be named in this story). ”It was extremely
time-consuming. To look at one cross-section of 20 minutes of log files
would take six hours to get a forensics statement. It’s too late by then.
You’re always playing catch-up. What’s happened in the next hours has
already taken place so you’re telling your bosses what happened and not
what’s happening. It’s embarrassing.”
To better analyze the reams of information coming at him and to help stop
network intrusions, Guy implemented security event management software
from eIQnetworks, Inc., an Acton, Mass.-based security company.
Enterprise Security Analyzer V2.1 scans the information coming in from
Guy’s firewalls and intrusion detection systems, looking for unusual
patterns that might indicate a malware or hacker attack, or even a
corporate user who is breaking the rules from the inside.
”If you don’t know what’s happening across your gateways, it’s very
dangerous,” said Guy in an interview with Datamation.
”People can be coming in and doing things and you don’t even know it. A
firewall or intrusion detection device is only useful if you can get the
information to a central location.
”You have technology that defends against attacks but unless you have
the knowledge of when it’s occurring, what’s occurring and where it’s
coming from, it doesn’t do you any good,” he adds. ”We went from taking
six hours to look for a security event down to under a couple minutes. It
means we’re able to be aware of what’s happening. If you don’t have the
information, you can’t do anything.”
And this major holding company isn’t the only one turning to event
management software.
Nick Selby, an enterprise security analyst with The 451 Group, Inc., an
industry research firm based in New York City, says the market is
‘exploding’. And he only sees it continuing to grow.
”There are a lot of products on the network gathering information and
you need something to shove all of that information into a box so you can
look at it meaningfully,” says Selby, adding that eIQnetworks’ solution
is getting quite a bit of attention for being far cheaper than many of
its competitors. ”Without a product like this, it’s impossible if you’re
looking at a mid-size and up company… This specific technology is
critical now.”
But consolidating an unwieldy amount of information isn’t the only
benefit — not in a time of increased regulation.
”With regulations like Sarbanes-Oxley and HIPAA in place, there’s the
idea that you’re going to have to show that you have technical
controls,” Selby notes. ”You can’t just be in compliance. You’ve got to
be able to prove it. But above that, it would be nice to actually be
secure and not just compliant.”
And that combination of compliance needs and information consolidation
has pushed 30 percent to 35 percent of large companies to buy into event
management software, according to Jon Oltsik, a senior analyst with
Enterprise Strategy Group, an analyst firm based in Milford, Mass.
”This is a relatively new technology space and people tend to deal with
security in a tactical fashion,” says Oltsik. ”People are transitioning
to take a bigger look at security. There’s pretty convincing evidence
that shows that a tactical approach to security doesn’t work. There are
more threats. There are more attack vectors. The attacks are getting
nastier.”
Both Oltsik and Selby note that eIQnetworks has a lot of competition in the event management space. ArcSight, Inc. based in Cupertino, Calif., is considered to be the market leader, according to Selby. And netForensics, Inc., based in Edison, N.J., along with NetIQ Corp. in San Jose, Calif., also are big players in this area.
Selby says what has been setting eIQnetworks apart is its competitive pricing model. And that’s very attractive for mid-size to large companies trying to get a handle on a flood of security information, while also trying to get that overall view of what is trying to poke holes in their network protections.
A Forensic Tool
Part of that bigger picture view at the holding company was being able to
see what was happening on the insider of the perimeter.
Guy says he needed the ability to quickly find out what happened in a
certain part of the network between 10 a.m. and 10:15 a.m. But getting at
that information — without a pitchfork and a lot of time on his hands —
was never easy.
”When Enterprise Security Analyzer came out with their forensic tool, it
allowed us to go back and ask a very specific question,” says Guy, who
adds that they do a forensic search once or twice a week. ”You would not
believe what some of our users pull… We catch them going to Websites
that have not yet been blocked by the filters. We usually catch them
going to porn sites.
”By the nature of the source address, you can see what sites they went
to, what time and how long they were on it. From there, we turn it over
to human resources because we have that forensic report [to back us
up],” he adds. ”The person who finds that stuff had better be able to
defend it in court.”
And while a majority of the attacks come from the inside, Guy says the
event management tool also helps him spot malware attacks — even before
the anti-virus vendors send out new signatures.
”eIQnetworks doesn’t save us from worm attacks but it does allow us to
see where the attacks are coming from,” he says, noting that the
Enterprise Security Analyzer helped him stop a worm attack in its tracks
this past fall. ”We were able to see that we had an increased amount of
traffic on a certain port. We adjusted our intrusion detection system to
pick up the signature and then based on the reports, we were able to shut
the port down [in time]. Having that information allowed us to make a
great decision hours ahead of everyone else.”
If the worm had gotten through and infected Guy’s global system, he might
have been looking at sending out IT workers to clean up the company’s
5,800 computers scattered around the world. ”There’s no way to put a
dollar amount on it,” he says.
Staying Compliant and Proving It
Another type of protection is historical protection, according to the
Enterprise Strategy Group’s Oltsik.
By automating firewall and IDS logs, it’s easier to stay compliant with
new stringent regulations, like Sarbanes-Oxley. ”Automating it is more
efficient,” he adds. ”You also have to store that data for long periods
of time in case you need it.”
And Guy says they definitely need the report data that the Enterprise
Security Analyzer supplies ever week.
”If you say that you log a firewall and all the activity on it, the next
question out of the auditor’s mouth is ‘Can you produce reports and can
you produce stats on when you check the logs?’,” Guy points out. ”Every
Sunday, it sends out a Sarbanes-Oxley report to key managers informing
them who the largest abusers of the internal network are — the biggest
Web surfer, who’s getting denied going to Websites they shouldn’t be
visiting. With 68 firewalls, the report runs from 6 in the morning until
about 6 or 7 at night. Two- or three-page reports go to each manager and
there’s their Sarbanes-Oxley report.
”It keeps us out of legal trouble because every week I can inform the
managers about what’s happening.”