FRAMINGHAM (03/17/2004) - This is the third in a special Fusion series spotlighting enterprise network managers' innovative use of management products to automate processes, prevent outages and save money. Stay tuned for more.
Bob Wrobel had two objectives: He wanted to secure Ace Hardware Corp.'s corporate network, and he wanted to do it using the minimum of man-hours.
The data security manager at the Oak Brook, Ill., headquarters says Ace started an initiative to better secure its network and prevent back-door intruders from wreaking havoc on its internal systems. Ace is a cooperative of about 4,900 retail stores, but Wrobel isn't involved in the security or management tools each franchise deploys across its infrastructure. Instead, he is challenged with keeping the corporate site accessible to valid users and off-limits to those looking to corrupt his net.
"We are involved in securing off the network because there is a back-door relationship with Ace's net," Wrobel says. "Our main objective is to lock down the system, and then to be able to quickly correlate the system logs from multi-vendor products to spot patterns."
Wrobel's staff is responsible for Internet access as well. While dealers independently own their stores, the Web is the best place for the Ace brand to flourish. Poor performance or security breaches on the corporate site could adversely affect the perception of Ace countrywide, he argues.
"We often get messages from our firewalls (Ace has three corporate and four remote firewalls) that would require us to go into them and try to determine the problem," Wrobel says. "Simply put, we were just too reactive in terms of security."
Simplifying security devices
Another issue for Wrobel was his heterogeneous security net. He had firewalls from Check Point Software Technologies Ltd., intrusion detection systems for Internet Security Systems Inc., intrusion prevention systems and Nokia Corp. gear as well. He says the mix-and-match nature of his equipment and software made it even more difficult for the staff of four security administrators to pinpoint vulnerabilities and spot potential intruders.
"There is so much time associated with going over logs. We want the ability to get some type of single error message or single piece of information that points us to everything we need to know to prevent the problem. Something to highlight the big ticket items, without affecting the performance of the devices," he says.
Wrobel started talking to his vendors -- Nokia, Check Point and ISS -- about how to collect and correlate multiple logs. While each vendor offers tools for its platform, Wrobel soon realized he needed to look beyond security vendors for the management capabilities he desired for Ace's corporate net.
"Our first initiative is to handle security system performance and manage those system logs," Wrobel says.
Wrobel started to examine security event and/or information management vendors, which go by SEM or SIM.
These type of tools usually consist of software, servers and agents or probe appliances, designed to automate the collection of event log data from security devices and help users make sense of it through a common management console.
The products use data aggregation and event correlation features similar to those of network-management software and apply them to event logs generated from security devices such as firewalls, proxy servers, intrusion-detection systems and anti-virus software. SEM or SIM products can also normalize data -- translate Cisco Systems Inc. and Check Point Software alerts, for example, into a common format so the data can be correlated.
Companies in this area include ArcSight Inc., e-Security Inc., GuardedNet Inc., netForensics Inc. and OpenService Inc.
Wrobel went with OpenService's Security Threat Manager (STM) to begin his staff's battle against thousands of system logs. OpenService provided an engineer to install the software, and Wrobel admits he and his staff are using the product for minimal functions right now.
"We are in a watch-and-see stage right now. There are things we want to do with it, and we will, but right now it's making managing those logs a lot easier for the staff," Wrobel says.