This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
a reliable utility
With some 12 million residents of Ontario, Canada relying on it for power, the Independent Electricity System Operator (IESO) has a critical need for network security.
|David Lewis' words of wisdom:|
Avoid "agent bloat"
Consider ease of an appliance
Buy more storage
The importance of keeping on top of security threats was one reason the organization wanted an automated system that would collect, analyze and report the events produced by its network security devices. Another driver was the proposed security auditing requirements of the North American Electric Reliability Council (NERC).
"Auditors have this simple phrase: 'If it's not written down, it didn't happen,'" said David Lewis, who goes by the unofficial title of "security curmudgeon" at the nonprofit IESO.
So Lewis--who has a background in archeology and a habit of "researching things to death"--began digging into whatever he could find about SIMs.
From a list of 13 vendors, he and his security team quickly ruled out a couple as too expensive. Then they reviewed product features and ultimately chose Network Intelligence's enVision appliance.
"It came down to price, usability, and ease of installation," Lewis said.
The agentless nature of the product was an important factor, he notes. "One of the things that systems suffer from these days--brutally so--is agent bloat. You'll have agents for rolling out patches, for intrusion detection, firewall agents. I finally said, 'Enough!'"
Less critical, but still important, was using an appliance. Another vendor offered a solution at a similar price but it was software-based, so IESO would also need to buy hardware, adding to the cost.
"It just didn't seem practical," Lewis said. "I like the ability to just drop in an appliance and be done."
In fact, he was surprised at how quickly his team was able to deploy the device. And with a Web-based front end, IESO staff can easily manage the appliance from virtually anywhere.
Several other SIM products required a lot of "care and feeding," Lewis said: "You'd have to dedicate a couple of resources full time just to take care of the beast...maintaining the agents, the system...configuration."
With the SIM in place, IESO now has a way to meet NERC auditing requirements for its security infrastructure. "We're able to demonstrate that we're collecting logs and they're being reviewed." Staff can also show remediation action taken.
The technology, which collects and correlates IDS, firewall, server, and other data, also provides security alerts in as near real-time as possible, Lewis says. The enVision dashboard allows the network operations staff to see at a glance if something is going wrong and respond.
Previously, the organization used a syslog server to collect event logs, a process that Lewis says is best described as "agonizing," especially with what he calls a noisy network that generates a lot of security events.
Basically, the SIM "is making life a lot easier for all of us," Lewis said.
Network Intelligence's pre-built reports allow IESO to generate a variety of reports. For example, a report on firewall alerts allowed the organization to spot a firewall rule change that should not have been made.
The lone regret Lewis has about IESO's SIMs implementation is not buying more storage from the start, primarily for compliance purposes. He has enough to last until 2012, but still plans to invest in additional capacity.
This was first published in September 2006