This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
alert and analyze
In charge of monitoring U.S. Navy computer networks, operators at the Navy Cyber Defense Operations Command (NCDOC) had their hands full, especially as more sensors were added to detect possible attacks. Additional networks and sensors produced a crush of data.
|Jim Granger's words of wisdom:|
Rely on interactive development process
Use data warehouse for long-term analysis
Deploy flexible architecture
"That was far outstripping the ability of people to handle it manually," says Jim Granger, NCDOC technical director.
The organization decided it needed a system to manage all that security event data, and settled on a software solution from e-Security combined with a SAS data warehouse on the back end. (Novell acquired e-Security in April 2006.)
"e-Security provides our near real-time front end and can take a variety of disparate data sources and provide immediately actionable alerts to our watch commanders. ...Then we roll that data off of e-Security into our SAS data warehouse back end for long-term trend analysis," Granger says.
The deployment initially started as a pilot project, dubbed Mobius, and has grown into a full-fledged system now called Prometheus. The e-Security piece collects event data primarily from IPSes along with some firewalls and routers, but NCDOC plans to feed into it more devices, such as a vulnerability assessment scanner and host-based security systems.
With a 150-terabyte SAN, Prometheus allows NCDOC to analyze an immense volume of data to warn about possible cyberattacks, including "low and slow" probing, Granger says.
While the tool has proven powerful, he credits the sailors and civilians using it for making it a success. NCDOC operators worked closely with engineers from e-Security and SAS to develop an effective system.
Integrating e-Security more closely with its incident tracking system was essential, Granger says: "A lot of early SIM technology was about, 'We'll plug 70 sensors into one screen.' You need to be able to track the status of a long-term incident, the feedback...and store and catalog this data so it's accessible months or years later."
This was first published in September 2006