Log management tool, SIM boxes combine to form security architecture

By Linda Tucci, Senior News Writer 25 Feb 2009 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

Whiteside is the chief information security officer for the Visiting Nurse Service of New York (VNSNY). Effectively analyzing his organization's log files not only gives him insight into his computing environment but it's also building the metrics he needs to communicate effectively with his business peers on issues that matter most.

At a glance Organization: Visiting Nurse Service of New York Employees: 4,000 home health personnel IT staff: 179 IT security staff: Three IT executive: Larry Whiteside, CISO Challenge: Lacked unified view of system and network activity for security and compliance purposes. Solution: Built architecture featuring log management tool and two SIM boxes. More log management resources for CIOs: Log management tool saves big on network fixes, integrates with IPS Data protection tops CIO security agenda for 2009 Log management reins in security and network device data

Some 130,000 patient medical records and pieces of credit card data fall under VNSNY's watch. The organization must comply with the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard and the Sarbanes-Oxley Act.

"When it comes down to it, they want to be able to see what the security metrics I am trying to build mean. Whether you're a board member who doesn't know how to use email or a super techie, the one thing they understand is HIPAA," Whiteside said.

When Whiteside arrived at VNSNY in December 2007 as the organization's first CISO, his overriding mission was data governance. But to practice data governance, VNSNY first had to know what data was being generated, where it was going, and who was doing what with the mountain of information.

The nation's largest not-for-profit home health care provider, VNSNY collects data from 4,000 mobile nurses with tablet PCs. It has 8,000 technology accounts, 325 servers and an additional 3,500 endpoints. Whiteside wanted a deep look into systems data, a real-time record of activity on the network and a way to correlate the two streams for an intelligent picture of events, from the firewall to the desktop.

A former security expert with the U.S military and a fan of log management since his days working at security information management vendor netForensics Inc., Whiteside said he believed he could get what he wanted out of the VNSNY logs, provided he had the right tools.

The organization had a log management tool from RSA Security, but it was sitting there like a lump, not configured and unmonitored. When he was unsuccessful in getting the vendor's attention for help, he ended up designing his own architecture using a log management appliance from LogLogic Inc. and two Symantec Security Information Manager (SIM) appliances. SIMs collect and correlate log files from different sources to provide near real-time reporting on activity across an IT environment.

"The most challenging logs are the system-level logs, because they can come in so many forms, so many fields that need to be queried," Whiteside said. He needed a log management tool that could find "that needle in the haystack."

"I wanted to be able to do that level of querying in my most chatty areas, which are the application and system logs," he said. "LogLogic has the best querying engine to get down to system-level events."

In Whiteside's architecture, the LogLogic tool collects and normalizes the systems and application log files. One of the Symantec SIM boxes collects and normalizes all the network-based log file data -- from firewalls, intrusion prevention devices, routers and so on. The second SIM box takes all the normalized data from each machine and correlates it with rules determined by Whiteside's team.

Because the SIM dedicated to correlating events is not bogged down by the collection of events, "the amount of rules I can normalize against is just astronomical," he said. The Symantec SIM also comes with a threat awareness tool that telegraphs current threats to people authorized to receive them.

And, he adds, his hybrid solution is designed to be self-managing -- unlike SIM boxes that sit on servers that need to be managed, like those from industry leader ArcSight Inc. ("the most intuitive GUI in the industry, but their back-end technology is lacking").

That's an important consideration. Of the 179-person IT team at VNSNY, Whiteside's share is three. Indeed, his goal is to have every application and every server inside his environment reporting through this architecture, with automated correlation rules, he said. Based on the criticality rules his team sets up, the system will send alerts to everyone who needs to know when something happens.

"We haven't gotten this completely tuned to where I want it, but I am 100% sure it will work because I have done it before," Whiteside said.

The most challenging logs are the system-level logs, because they can come in so many forms, so many fields that need to be queried. Larry Whiteside CISO, Visiting Nurse Service of New York

Yet even partially deployed, his log management solution is already paying dividends on the IT and business sides of the house. For example, the system identified an account with a long-expired password, solving the mystery of why it was not working. As a member of VNSNY's compliance team -- a group that includes the head of audit, a privacy officer and in-house counsel -- Whiteside uses his log reports to show the team where the organization needs to be to pass its many compliance audits. "The reports allow me to build a baseline of security metrics," he said.

Whiteside, who acknowledges getting a discount from his vendors for agreeing to talk to reporters, declined to say how much the system cost, except that the price point even without the discount was low enough that he didn't have to lobby to spend the money for it. He figures it would take a full-time person to do the work his log management tool does in four hours per week.

Dominique Levin, executive vice president of marketing and strategy at San Jose, Calif.-based LogLogic, said the business case for an automated log management solution almost makes itself as the volume of data generated by company computing systems expands to surreal dimensions. (VNSNY uses LogLogic's MX appliance, which is tailored to the midmarket and costs $45,000.)

"Something like 80% of the companies are doing log management before LogLogic arrives on the scene," she said. "They use Unix boxes and scripts, and then they get stuck."

The regulatory climate underscores the need to stay on top of it all, she said. Many security and compliance mandates refer to machine language that must be translated "into something we can keep up with."

Tags: Enterprise information security management,  Compliance strategies and best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs Compliance strategies and best practices Email archiving solutions and strategies for enterprise CIOs Miscues abounded in Boston email retention policy, practices Health care security, HIPAA compliance on deck for CIOs in Obama era Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Economic downturn hits IT budgets Tips on how to dodge the scariest of IT worst-case scenarios

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary