Log management tool saves big on network fixes, integrates with IPS

Log management saves $100,000 in help desk costs for one campus environment, plus offers "forensics on the fly," while IPS integration boosts efficiency and effectiveness.

This Content Component encountered an error

Talented managers can spot potential in the ranks and groom employees to do more than the job title implies. That's what Brad Blake, IT director at Boston Medical Center (BMC), does with security tools -- specifically, he has grown a log management tool, purchased to manage misbehaving ports, into the eyes and ears of his network.

He achieved this feat by pairing the log management tool -- which cost about $150,000 but saves the company $100,000 per year -- with the hospital's intrusion prevention system (IPS). Both vendors, ArcSight Inc. and McAfee Inc., helped.

"My security engineers can see an event in the McAfee IPS, right-click on it and execute an ArcSight command to shut the port off at that infected device," he said.

It was four years ago that Blake sought a solution to network problems spanning the 29-building Boston Medical Center. Over the years, networks and clients were upgraded from 10 MB to 100 MB, but if a client machine and the network were not set correctly for 100 MB, the system "autonegotiated" to the lower end of the setting, requiring a senior engineer to locate and reset the switch. An expensive fix.

"We were constantly struggling with managing ports that connect to networks, specifically the speed they were set up for," Blake said. "We started to look in the marketplace for something that was simple and easy to use for our help desk folks, so that when a call came in they could at least take a look at the two big issues we were dealing with at this time -- the speed and the duplex settings on the network cards."

BMC found a log management tool from security information and event management vendor ArcSight. The ArcSight Logger could be configured to let senior and midlevel help desk staff members function as first responders for port speed issues.

"From a pure cost savings it was obviously a big win for us. Over the course of a year, I probably burnt an entire full-time network engineer," or more than $100,000, Blake said.

Log management + IPS = intelligent security

As future versions of the ArcSight Logger software were launched, Blake's team configured Logger "to walk" its entire network and map -- in Microsoft Visio diagrams -- the locations of all its equipment. Then the team configured Logger to gather the log files from the far-flung systems that IT owned and pull them into a central location.

"That gave us the ability to do searches and run reports on the information we were looking for," Blake said.

The solution, which cost approximately $150,000, gave what Blake (and ArcSight) like to call "forensics on the fly." Instead of waiting for the distress call, the logger helps anticipate problems on the network. For example, last year the ArcSight Logger resolved a spanning tree loop problem in a matter of minutes. Usually such glitches require a three-day fix.

Charles Kolodgy, research director, secure products at Framingham, Mass.-based IDC, said that in these days of diminishing IT budgets and rising security threats, taking an entrepreneurial approach to one's security architecture is becoming a necessity.

"Security ranges between 5% and 10% of your total IT budget," he said. A small company might have only a $5 million IT budget. "They'll be lucky if they spend $500,000 [on security], and the security covers a lot of product areas -- desktop security, your IPS, firewalls and antispam. There are 40 or 50 technologies you can get."

As for log management, consolidating logs in a central location for management purposes is one thing, but you also need the context of those transactions, Kolodgy said.

"The logs can be massively large. You need to be able to find correlations between them and be able to use that information in ways that can either vastly improve your security, such as helping you tune your intrusion prevention system, or possibly even tying it into your identity system," Kolodgy said.

Enterprising IT executive marries ArcSight and McAfee

That is essentially what Blake did. The Logger appliance didn't provide an easy-to-look-at view of what was going on. BMC is a McAfee shop. An admirer of the color-coded screen of his IPS system, Blake approached McAfee and ArcSight and spearheaded an integration of the two products.

"What I am trying to do is get us into a more proactive mode around our security, because it has become such a hot topic," Blake said.

Let us know what you think about the story; email Linda Tucci, Senior News Writer.

Dig deeper on IT and business management for Small Business

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close