How One Company Deals with Information Overload

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

With 68 firewalls and seven gigs a day of security reports to wade

through, the senior network administrator of a $1.8 billion holding

company was in over his head when it came to knowing what was happening

on his network.

His firewall logs alone were stacked so deep that it easily took him

eight hours to consolidate the information he needed after a single

security incident.

”I’d have to dig through old logs and write my own queries and then

examine the results,” says Timothy Guy, senior network administrator for

the midwest-based enterprise, which owns multiple manufacturing

companies (and declined to be named in this story). ”It was extremely

time-consuming. To look at one cross-section of 20 minutes of log files

would take six hours to get a forensics statement. It’s too late by then.

You’re always playing catch-up. What’s happened in the next hours has

already taken place so you’re telling your bosses what happened and not

what’s happening. It’s embarrassing.”

To better analyze the reams of information coming at him and to help stop

network intrusions, Guy implemented security event management software

from eIQnetworks, Inc., an Acton, Mass.-based security company.

Enterprise Security Analyzer V2.1 scans the information coming in from

Guy’s firewalls and intrusion detection systems, looking for unusual

patterns that might indicate a malware or hacker attack, or even a

corporate user who is breaking the rules from the inside.

”If you don’t know what’s happening across your gateways, it’s very

dangerous,” said Guy in an interview with Datamation.

”People can be coming in and doing things and you don’t even know it. A

firewall or intrusion detection device is only useful if you can get the

information to a central location.

”You have technology that defends against attacks but unless you have

the knowledge of when it’s occurring, what’s occurring and where it’s

coming from, it doesn’t do you any good,” he adds. ”We went from taking

six hours to look for a security event down to under a couple minutes. It

means we’re able to be aware of what’s happening. If you don’t have the

information, you can’t do anything.”

And this major holding company isn’t the only one turning to event

management software.

Nick Selby, an enterprise security analyst with The 451 Group, Inc., an

industry research firm based in New York City, says the market is

‘exploding’. And he only sees it continuing to grow.

”There are a lot of products on the network gathering information and

you need something to shove all of that information into a box so you can

look at it meaningfully,” says Selby, adding that eIQnetworks’ solution

is getting quite a bit of attention for being far cheaper than many of

its competitors. ”Without a product like this, it’s impossible if you’re

looking at a mid-size and up company… This specific technology is

critical now.”

But consolidating an unwieldy amount of information isn’t the only

benefit — not in a time of increased regulation.

”With regulations like Sarbanes-Oxley and HIPAA in place, there’s the

idea that you’re going to have to show that you have technical

controls,” Selby notes. ”You can’t just be in compliance. You’ve got to

be able to prove it. But above that, it would be nice to actually be

secure and not just compliant.”

And that combination of compliance needs and information consolidation

has pushed 30 percent to 35 percent of large companies to buy into event

management software, according to Jon Oltsik, a senior analyst with

Enterprise Strategy Group, an analyst firm based in Milford, Mass.

”This is a relatively new technology space and people tend to deal with

security in a tactical fashion,” says Oltsik. ”People are transitioning

to take a bigger look at security. There’s pretty convincing evidence

that shows that a tactical approach to security doesn’t work. There are

more threats. There are more attack vectors. The attacks are getting

nastier.”

Both Oltsik and Selby note that eIQnetworks has a lot of competition in the event management space. ArcSight, Inc. based in Cupertino, Calif., is considered to be the market leader, according to Selby. And netForensics, Inc., based in Edison, N.J., along with NetIQ Corp. in San Jose, Calif., also are big players in this area.

Selby says what has been setting eIQnetworks apart is its competitive pricing model. And that’s very attractive for mid-size to large companies trying to get a handle on a flood of security information, while also trying to get that overall view of what is trying to poke holes in their network protections.

A Forensic Tool

Part of that bigger picture view at the holding company was being able to

see what was happening on the insider of the perimeter.

Guy says he needed the ability to quickly find out what happened in a

certain part of the network between 10 a.m. and 10:15 a.m. But getting at

that information — without a pitchfork and a lot of time on his hands —

was never easy.

”When Enterprise Security Analyzer came out with their forensic tool, it

allowed us to go back and ask a very specific question,” says Guy, who

adds that they do a forensic search once or twice a week. ”You would not

believe what some of our users pull… We catch them going to Websites

that have not yet been blocked by the filters. We usually catch them

going to porn sites.

”By the nature of the source address, you can see what sites they went

to, what time and how long they were on it. From there, we turn it over

to human resources because we have that forensic report [to back us

up],” he adds. ”The person who finds that stuff had better be able to

defend it in court.”

And while a majority of the attacks come from the inside, Guy says the

event management tool also helps him spot malware attacks — even before

the anti-virus vendors send out new signatures.

”eIQnetworks doesn’t save us from worm attacks but it does allow us to

see where the attacks are coming from,” he says, noting that the

Enterprise Security Analyzer helped him stop a worm attack in its tracks

this past fall. ”We were able to see that we had an increased amount of

traffic on a certain port. We adjusted our intrusion detection system to

pick up the signature and then based on the reports, we were able to shut

the port down [in time]. Having that information allowed us to make a

great decision hours ahead of everyone else.”

If the worm had gotten through and infected Guy’s global system, he might

have been looking at sending out IT workers to clean up the company’s

5,800 computers scattered around the world. ”There’s no way to put a

dollar amount on it,” he says.

Staying Compliant and Proving It

Another type of protection is historical protection, according to the

Enterprise Strategy Group’s Oltsik.

By automating firewall and IDS logs, it’s easier to stay compliant with

new stringent regulations, like Sarbanes-Oxley. ”Automating it is more

efficient,” he adds. ”You also have to store that data for long periods

of time in case you need it.”

And Guy says they definitely need the report data that the Enterprise

Security Analyzer supplies ever week.

”If you say that you log a firewall and all the activity on it, the next
question out of the auditor’s mouth is ‘Can you produce reports and can
you produce stats on when you check the logs?’,” Guy points out. ”Every

Sunday, it sends out a Sarbanes-Oxley report to key managers informing
them who the largest abusers of the internal network are — the biggest

Web surfer, who’s getting denied going to Websites they shouldn’t be

visiting. With 68 firewalls, the report runs from 6 in the morning until

about 6 or 7 at night. Two- or three-page reports go to each manager and

there’s their Sarbanes-Oxley report.

”It keeps us out of legal trouble because every week I can inform the

managers about what’s happening.”