Rolling out a new breed of tools that capture information from IT security logs can be a daunting task for corporate users, who may need to bulk up their systems and storage devices to handle the torrents of data that can be generated.
But MasterCard International has survived the deployment process and is seeing big gains in efficiency among its security staffers, says Malcolm McWhinnie, the company's head of information security technology.
In April MasterCard installed Sentinel — a security information management tool from vendor e-Security — on its mainframe and distributed servers and on hundreds of network devices at its datacentre in the US. The goal, McWhinnie says, was to simplify security event management procedures that were previously handled by custom-built tools. Those tools required a great deal of maintenance and had limited scalability, he says.
McWhinnie hasn't done a formal calculation of return on investment but says, "my people are spending much more time drilling into the security events they see and much less time managing the tool."
Sentinel collects and evaluates "millions and millions" of security-related logs daily, helping MasterCard's security workers by eliminating things such as false-positive reports, McWhinnie says. It took only three months to implement the software, but he says a large amount of "grunt and groan" work was required to tune the tool so it would report only actionable security events and avoid passing on too much irrelevant data.
Because of such challenges, MasterCard's early success is a rarity among large SIM (security information management) rollouts, says George Hamilton, an analyst at the Yankee Group who is familiar with the project.
Hamilton says SIM tools began attracting a lot of attention last year, partly because of reporting requirements imposed by regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. However, he says the software can be a "nightmare" to manage, "with thousands of event logs being reported per second" from servers, firewalls intrusion-protection and -detection systems and other components.
Also, many users haven't been prepared for the increased need for storage hardware, servers and database administrators that SIM implementations can impose, Hamilton says.
Although MasterCard added an unspecified number of servers and storage devices as part of the Sentinel rollout, it didn't need to increase its database administration staff, McWhinnie says. He MasterCard set a detailed "escalation plan" for dealing with the data generated by the tool.
MasterCard's prior experiences with its own tools helped to simplify resource planning, McWhinnie says. "Data explosion was not a problem, because we foresaw it and dealt with it upfront.
"We already knew where some of the pitfalls would be and went into this with very open eyes."
McWhinnie declined to disclose the SIM rollout's cost, describing it only as a medium-size IT project for MasterCard. He also wouldn't identify the other products his team evaluated before choosing Sentinel.
Officials at e-Security say the Sentinel server software costs US$89,000 (NZ$130,000) with support for 20 devices. There is an additional cost of US$300-$700 per network or security device.