This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
Global vacation exchange network, Interval International, grew by leaps and bounds at the turn of the 21st century, more than doubling its staff to 2,000 employees and expanding its ecommerce operation. The result was a massively complex network with machines running a hodgepodge of operating systems and multiple security devices.
|Sasan Hamidi's words of wisdom:|
Get support for heterogeneous environments
Focus on audit benefits to win funding
Involve others in IT in project research
With such a complicated network, the company needed an automated system for security event monitoring, said Sasan Hamidi, CISO at Miami-based Interval, whose specialty is time-share exchanges. With just two full-time infosecurity staffers and a handful of part-timers, manual monitoring wasn't feasible.
Also, since Interval no longer was a small, private company but now part of a large public company (IAC/Inter-ActiveCorp acquired it in September 2002), it needed to comply with regulations like Sarbanes-Oxley. That made automated log management essential for auditing purposes. Because it can be tough to sell security projects to upper management, Hamidi focused on the audit benefits of SIM technology to win funding. He calculated the money Interval spent hiring contractors to help prepare for internal auditors by sifting through logs and creating procedures and reports.
"We realized that even without any additional resources to manage a SIM environment, we would be far better off spending money for the SIM than without it," he said.
The company reviewed three vendors and chose netForensics for several reasons. The vendor's nFX Open Security Platform supported nearly every type of product in Interval's heterogeneous environment. Plus, netForensics was willing to work with Interval on developing agents for products it did not support.
While another vendor promised an agentless technology, Hamidi says he wasn't confident that was the right approach.
"My philosophy was it didn't really matter whether we used agents or not. Our biggest concern was getting a comprehensive deployment in terms of log management and security event management for all our devices," he said.
Those systems include Novell, Unix, Windows and Solaris servers, an AS/400, Cisco routers and host-based IDS, Juniper and Check Point firewalls, and Sourcefire network-based IDS.
|SIM shopping list|
Before buying a SIM, here are six questions you should consider:
How does the system collect and store data?
How are business rules expressed?
Does the SIM allow active response?
What are its forensic capabilities?
Can the SIM support your data retention requirements?
Does it generate useful reports?
The SIM's reporting capabilities allow Hamidi's team to easily provide audit trails for the controls they've created. For example, they can pull weekly reports of who logged on to critical Solaris servers and review them for any discrepancies.
"Previously, it was pretty painful. We had to have someone go through...and check manually all the server logs or go to our log server and do a search by host name," Hamidi said.
The SIM has also allowed Interval to quickly detect a few infected PCs contractors brought into the network.
However, managing the technology can be a challenge, including sorting out false positives, Hamidi says. Techni-cians from the company's enterprise operations center help out a full-time staffer who stays on top of the alerts. Still, without the SIM it would take four or five times as many resources to accomplish the needed security management, he added.
Hamidi is pleased with the project but if he had to do it again, he would involve more of the IT group in the research phase. The security team had to rely on other IT staffers to implement the technology, folks who didn't fully understand how the SIM would help the business.
"I would bring these guys in and make them part of the research, have them participate more so I could do a better selling job on getting their buy-in," he said.
This was first published in September 2006