1By Baselinemag | Posted 2006-05-15 Email Print
Security managers need cutting-edge technologies to get a 30,000-foot view of their operationsand to wage the ongoing battle against network attacks.. Security Information Management">
1. Security Information Management
The 2006 Winter Olympic Games in Turin, Italy, needed an Olympic-size system to monitor all the security information that was generated by the networks supporting the media and Games officials.
Yan Noblot, information-security manager for the Olympics, says that during the February events in Turin, he and his team received 3.1 million security events per daythings as simple as someone restarting a PC in the downhill venue, or someone attempting to log in using an invalid password. "If you put all that on a screen, it's not manageable by a human," Noblot says.
Plus, he notes, each individual data point doesn't have a lot of value: "You want to aggregate them because a lot of the information is telling you the same thing, and then you want to correlate them to see if there's a bigger pattern."
Noblot oversaw a staff of 12operating in teams of four in three around-the-clock shiftswho monitored network security. The entire crew works for Atos Origin, a Paris-based information-technology services company to which the International Olympic Committee outsourced the design, deployment and operation of the on-site network infrastructure.
Atos Origin also provided services for the Salt Lake City Games in 2002. It was during those events that Noblot and others in the company recognized the need for an overarching security information management system.
"The people who were managing security were managing in silos," Noblot says of the 2002 Games. "We had Windows security, Unix security, application security, network security and so on. We had all the standard security infrastructure, but we were lacking an overall view of the elements."
In Turin, the Atos Origin team used CA's eTrust Security Command Center to winnow down the 3.1 million daily alerts. An initial correlation reduced that to 49,000 discrete events. Then, the software used about 200 rules, programmed by Noblot's team, to prioritize those events based on the risk-management profile established by Atos Origin for each system. For example, any events occurring in a section of the network that runs official scoring would get priority over those in the public-access areas.
Out of those, there were actually about 10 critical alarms per day, according to Noblot. Usually, it was someone unplugging one of Atos Origin's systems to plug in his own unauthorized laptop, or people trying to log in to administrative accounts.
To Noblot, one of the benefits of having a centralized security information management system was that at the end of the Games, he and his team were able to analyze security event patterns and glean lessons about how to design the network for the next Olympics.
"It's not just about having numbers," he says. "It's about knowing the nature of the events so we can refine the way we put in controls."
RONA, Canada's largest distributor and retailer of hardware, home renovation and gardening products, was also looking for a way to get a handle on the information-security events in its 600 stores as well as its corporate offices and other facilities.
For one thing, Steve Rainville, national information-technology security administrator for RONA, realized that he needed a more formal way of responding to security incidents.
Previously, Rainville's team of six full- and part-time security analysts was trying to resolve security problems "on a best-effort basis."
In the first quarter of 2005, RONA rolled out Intellitactics' Security Manager. The software collects information from various systemsincluding operating systems, firewalls and network devices such as routersfrom about a dozen vendors. The Intellitactics software, based on rules developed by Rainville and his group, then determines which events are outside the norm, filtering out 99% of normal events.
Now, Rainville can provide the company's internal business heads with a set of service-level agreements for how the security team will respond to events. Financial and point-of-sale systems receive the highest-priority alerts. The key: System logs are imported and analyzed in real time, instead of using batch jobs that are a day old.
RONA also expects to use the analysis of security information to demonstrate which pieces of the infrastructure have to be shored up. "We need to make sure we spend in the right places for information security," Rainville says. "It's not just a matter of throwing people or tools at a problem."
Note: e-Security was acquired by Novell in April.