News Stay informed about the latest enterprise technology news and product updates.

Log management tool, SIM boxes combine to form security architecture

A new CISO builds an information security architecture to analyze log files and create metrics for business discussions on compliance and security.

No one disputes that log files -- the so-called black boxes of your computing systems -- can be used for all sorts of gain: troubleshooting, monitoring compliance, analyzing traffic to your website. Log files dutifully record what happens inside servers, network devices and some applications. The challenge is how to efficiently unpack this trove of (sometimes gnarly) information. For Larry Whiteside, it came down to finding the right log management tool.

Whiteside is the chief information security officer for the Visiting Nurse Service of New York (VNSNY). Effectively analyzing his organization's log files not only gives him insight into his computing environment but it's also building the metrics he needs to communicate effectively with his business peers on issues that matter most.

Some 130,000 patient medical records and pieces of credit card data fall under VNSNY's watch. The organization must comply with the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard and the Sarbanes-Oxley Act.

"When it comes down to it, they want to be able to see what the security metrics I am trying to build mean. Whether you're a board member who doesn't know how to use email or a super techie, the one thing they understand is HIPAA," Whiteside said.

When Whiteside arrived at VNSNY in December 2007 as the organization's first CISO, his overriding mission was data governance. But to practice data governance, VNSNY first had to know what data was being generated, where it was going, and who was doing what with the mountain of information.

The nation's largest not-for-profit home health care provider, VNSNY collects data from 4,000 mobile nurses with tablet PCs. It has 8,000 technology accounts, 325 servers and an additional 3,500 endpoints. Whiteside wanted a deep look into systems data, a real-time record of activity on the network and a way to correlate the two streams for an intelligent picture of events, from the firewall to the desktop.

A former security expert with the U.S military and a fan of log management since his days working at security information management vendor netForensics Inc., Whiteside said he believed he could get what he wanted out of the VNSNY logs, provided he had the right tools.

The organization had a log management tool from RSA Security, but it was sitting there like a lump, not configured and unmonitored. When he was unsuccessful in getting the vendor's attention for help, he ended up designing his own architecture using a log management appliance from LogLogic Inc. and two Symantec Security Information Manager (SIM) appliances. SIMs collect and correlate log files from different sources to provide near real-time reporting on activity across an IT environment.

"The most challenging logs are the system-level logs, because they can come in so many forms, so many fields that need to be queried," Whiteside said. He needed a log management tool that could find "that needle in the haystack."

"I wanted to be able to do that level of querying in my most chatty areas, which are the application and system logs," he said. "LogLogic has the best querying engine to get down to system-level events."

In Whiteside's architecture, the LogLogic tool collects and normalizes the systems and application log files. One of the Symantec SIM boxes collects and normalizes all the network-based log file data -- from firewalls, intrusion prevention devices, routers and so on. The second SIM box takes all the normalized data from each machine and correlates it with rules determined by Whiteside's team.

Because the SIM dedicated to correlating events is not bogged down by the collection of events, "the amount of rules I can normalize against is just astronomical," he said. The Symantec SIM also comes with a threat awareness tool that telegraphs current threats to people authorized to receive them.

And, he adds, his hybrid solution is designed to be self-managing -- unlike SIM boxes that sit on servers that need to be managed, like those from industry leader ArcSight Inc. ("the most intuitive GUI in the industry, but their back-end technology is lacking").

That's an important consideration. Of the 179-person IT team at VNSNY, Whiteside's share is three. Indeed, his goal is to have every application and every server inside his environment reporting through this architecture, with automated correlation rules, he said. Based on the criticality rules his team sets up, the system will send alerts to everyone who needs to know when something happens.

"We haven't gotten this completely tuned to where I want it, but I am 100% sure it will work because I have done it before," Whiteside said.

The most challenging logs are the system-level logs, because they can come in so many forms, so many fields that need to be queried.

Larry Whiteside, CISO, Visiting Nurse Service of New York

Yet even partially deployed, his log management solution is already paying dividends on the IT and business sides of the house. For example, the system identified an account with a long-expired password, solving the mystery of why it was not working. As a member of VNSNY's compliance team -- a group that includes the head of audit, a privacy officer and in-house counsel -- Whiteside uses his log reports to show the team where the organization needs to be to pass its many compliance audits. "The reports allow me to build a baseline of security metrics," he said.

Whiteside, who acknowledges getting a discount from his vendors for agreeing to talk to reporters, declined to say how much the system cost, except that the price point even without the discount was low enough that he didn't have to lobby to spend the money for it. He figures it would take a full-time person to do the work his log management tool does in four hours per week.

Dominique Levin, executive vice president of marketing and strategy at San Jose, Calif.-based LogLogic, said the business case for an automated log management solution almost makes itself as the volume of data generated by company computing systems expands to surreal dimensions. (VNSNY uses LogLogic's MX appliance, which is tailored to the midmarket and costs $45,000.)

"Something like 80% of the companies are doing log management before LogLogic arrives on the scene," she said. "They use Unix boxes and scripts, and then they get stuck."

The regulatory climate underscores the need to stay on top of it all, she said. Many security and compliance mandates refer to machine language that must be translated "into something we can keep up with."

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Dig Deeper on Enterprise information security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.