Security Smarts

Schools employ security information and event management systems to make sense of security alerts.


September 2010 E-newsletter

Security Lockdown

Security Smarts

SSL VPN Virtuoso

WatchGuard XTM 530

Data Loss Prevention

As cyberthreats proliferate and become more dangerous, IT professionals need all the help they can get to protect their organizations. Enter security information and event management (SIEM), an essential tool for analyzing and prioritizing the plethora of event information and security logs that networks generate.

Available from makers such as Check Point, Cisco Systems, Juniper Networks, Novell, RSA and Symantec, SIEM systems help IT react to security incidents quickly, says Jerry Shenk, senior analyst with the SANS Institute. By analyzing and correlating events that occur on a network – from a user logging on to a database being queried to a router being unplugged – then prioritizing these events according to preset definitions, SIEM sifts through millions of log records to efficiently report on the critical incidents that require immediate attention. Reporting capabilities also aid investigations and further regulatory compliance by providing a record of events.

Montgomery County Public Schools in Maryland uses RSA EnVision to correlate alerts and alarms from the school system's network, which is one of the largest networks in the county.

“In the security industry, people are always saying, ‘review your logs.' But for every application, there's an event log or a system log, and there just is not enough time in the day or staff to truly understand what those logs mean,” says Larry Wong, information assurance and risk management supervisor and cybersafety program manager for the school system. “EnVision correlates events and runs reports so you can keep yourself up to date and figure out what's out of whack.”

The district also uses EnVision to collect information for its routine required audits. “We have to respond to questions and go through the logs to determine configuration settings, etc., and it's a very tedious job,” says Wong. “One of the auditors recommended a tool like RSA EnVision to make it easier.”

78%
Percentage of respondents at midsize organizations who said detecting and preventing unauthorized access and insider abuse was the top reason to use log management, which is a subset of SIEM.

Source: SANS Institute, June 2010

Conquering Complexity

The need for SIEM is evident, says Shenk. “Even very small organizations can generate millions of events a day, and you simply can't read all of those logs,” he says. “People need something to help them process all of that information.”

Fairfax County Public Schools in Virginia is the 12th-largest school system in the country, with more than 200,000 user accounts on its network, including staff, students and parents. About two years ago, the school system began using the Novell Sentinel SIEM tool, which came with the software maker's Identity Manager product. The IT department deployed Sentinel for its auditing capability, says Ted Davis, director of enterprise information services and assessment.

“We use Sentinel to audit transactions on ID Manager. We've set it up to look for specific things like doing new hires and terminations, certain circumstances that might indicate inappropriate activity,” Davis says.  “Sentinel records the transactions and has the ability to flag specific circumstances and tell us if we need to pursue them further.”

The school department is still using version 6 of Sentinel but looks forward to upgrading to the current version to take advantage of its reporting features. “The current release is much more streamlined, and that's something we need,” says Davis.

SIEM Strategies

Here are some tips for getting the most from security information and event management technology:

  • Conduct pre-deployment planning to understand the type and number of sources from which the product will pull information, as well as the anticipated event rate. This will help align expectations.
  • Let your organization's needs – not the capabilities of the product – drive deployment.
  • Once installed, allow for time to train the SIEM tool so that it can learn what events and information you deem critical versus routine. A 12- to 18-month ramp-up period is typical.
  • Teach the product to prioritize events in a way that echoes IT's priorities.
  • Conduct occasional fine-tuning to keep up with ever-changing IT environments.
  • Update the SIEM system whenever new hardware or software is added to the network.