This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
second SIM gets it right
After preliminary Sarbanes-Oxley and SAS 70 audits toward the end of 2004, the security team at T. Rowe Price was under the gun. Internal findings showed that the investment-management firm could receive bad marks because it didn't have a system for managing security event logs.
|David Maas' words of wisdom:|
Weigh appliance versus software-based solution
Hire full-time engineer to maintain system
Consider storage requirements
With just 60 days to get a system in place, David Maas, senior network security engineer, and his staff quickly researched SIM products, and narrowed their list to four. There was no time to test each one, so they chose a vendor that promised an easy-to-use appliance. While it worked well enough to get over the audit hurdle, the appliance didn't live up to the hype, and was difficult to set up and manage.
Fed up after struggling for a year with the device, T. Rowe Price decided to start fresh with ArcSight. The company initially deployed the software-based solution so it collected logs from primary security devices such as Check Point firewalls and Blue Coat proxies, and gradually fed more systems into it, including Cisco routers, Windows boxes and Juniper firewalls.
"We're doing it in chunks," Maas said. "We're still learning. It is a system that's fairly demanding."
Baltimore-based T. Rowe Price added an engineer to its four-member network security team to work on the ArcSight system full time, running reports, tuning the agents, and resolving any issues that crop up.
Despite the learning curve, the SIM is helping on both the audit and security fronts. An administrator can run monthly, weekly or daily reports on nearly any data collected. One example: A report detailing how many user accounts were deleted in a week, something Maas said auditors want.
The reports provide auditors and high-level managers with a nice visual of what's happening in the environment, Maas said. "We never had that before."
By collecting security events from multiple devices into a central location, the SIM allows T. Rowe Price to correlate events and trigger alerts. It also helps the security team with forensics work, such as tracking down workstation infections.
"It allows us to do a lot of forensic analysis...all in one location versus having to visit the desktop, the server or the proxy logs manually," Maas said. "It definitely saves us a lot of time."
The system also makes firewall maintenance easier. Engineers can see what firewall rules are being used; if one hasn't been used in a long time, they can remove it. That improves firewall performance and also allows the company to prove it has audited its internal security devices, Maas said.
T. Rowe Price's ArcSight deployment consists of four boxes: one running ArcSight Manager, one running an Oracle database with a locally attached storage array, and two Windows-based servers where agents are deployed to pull event data from systems. There also are some agents that run directly on individual systems. For the Blue Coat devices, logs are collected via FTP.
Having a security engineer from ArcSight helped to make the deployment successful and saved time, but Maas quickly realized that a terabyte of storage wasn't enough. That required some project redesign.
Over time, T. Rowe Price plans to expand the SIM so it collects data from more devices, such as its IBM Tivoli Access Manager.
That expansion may mean adding more staff, Maas noted. However, he expects that once the company implements more correlation rules into the SIM to trigger alerts, staff will do even less log monitoring.
This was first published in September 2006