SIM appliance helps credit unions with compliance, incident response

By Marcia Savage, Features Editor, Information Security magazine 05 Aug 2008 | SearchSecurity.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

I have the granular ability to say, 'Now shut it down.' Alan McHugh, IT Manager, U.S. Postal Service Federal Credit Union

"I had to come up with a more intelligent way to do this," said Alan McHugh, manager of information technology at USPS FCU, a midsize credit union based in Clinton, Md., with eight branches across the U.S.

He began looking at security information management (SIM) and log management products and ultimately selected the TriGeo SIM. The appliance collects, correlates and normalizes data from USPS FCU's firewalls, terminals, servers and routers. "It's a one stop shop," McHugh said.

The appliance alerts him of threats, both internal and external via email or text message, and enforces policy. He can set it to report on certain services such as FTP or Telnet; for example, when TriGeo logs an employee using Telnet, it will alert him. "Someone on the teller line wouldn't need Telnet or FTP. I have the granular ability to say, 'Now shut it down'," McHugh said. He also has a log trail of user activity.

The device provides a central place for McHugh to track down what's happening on the roughly 150-node network, and he's been able to locate and shut down sources of attempted brute force attacks on the perimeter. "I have the source IP of where it's coming from, and can look up the IP and see who owns it, and will contact that company," he said. "If I can't reach the company, I'll call the ISP, who is usually quite responsive."

Other SIM products from large vendors were tailored for big enterprises and were too expensive, McHugh said: "It would have been overkill, budget-wise." He said some of those vendors have offered stripped down versions of their products to smaller organizations, but he believes those products fail to provide the functionality of TriGeo.

Cost was also a big factor for Pasadena Federal Credit Union (PFCU) in choosing a SIM. The California-based credit union has about 40 employees, including a two-member IT staff. Mike McDanell, IT supervisor and information security officer at PFCU, said he wanted a way to aggregate his logs and looked at SIM products from Cisco Systems Inc., Symantec Corp. and several others. "They didn't do nearly as much as TriGeo, especially for the cost," he said. TriGeo starts at $20,000, including the box and agents; McDanell said one SIM from a large vendor was about $95,000.

"TriGeo has active response, which allows me to assign rules to the logs that come in, so I can tell it to perform an action if something does occur in the network, down to the workstation level," McDanell said.

By pulling in firewall, antivirus, server, workstation and Web mail logs into one place, the appliance is saving him time. "It's making a lot less work for me as far as reviewing logs," he said. "And I can generate a lot of reports." TriGeo provides many preformatted reports but also enables customized reports.

The SIM system is compatible with a lot of devices, he added: "Just about every device you have, from Juniper devices to Barracuda spam firewalls, it can hook into and pull reports from."

Nick Selby, director of research operations and enterprise security practice director at The 451 Group, said SIM technology has become more mainstream and enterprises are finding that products from TriGeo, Q1Labs, Cisco, eIQnetworks, ArcSight, High Tower Software, netForensics and others are easier to use and maintain, plus cheaper to own than early SIM systems.

"Some of the drawbacks have been the tradeoff between price and functionality, and complexity of getting the systems set up, but this second generation, and particularly user-friendly enterprise SIM (ESIM) from established vendors like TriGeo and the others, make setup much easier, as do startups like Inspekt Security, which offers ESIM as a service," he said.

TriGeo has succeeded in marketing to small and midsize enterprises, Selby said. "It has shown innovation in its technology as well as its partnership choices," he added. "For example, bundling Snort to provide and maintain intrusion detection for businesses which may not have the resources to set up or maintain it."

For both credit unions, a big plus is TriGeo's USB Defender, which is bundled with the vendor's Windows agent and catches unauthorized USB flash drive insertions. "It denies anything I don't let onto the system as far as USBs," PFCU's McDanell said. "It's smart enough to recognize a mouse or a keyboard, but when it comes to drives, iPods, anything that's a USB device with storage, it will pop up with it."

One night earlier this year, the tool blocked a janitor's son from plugging in his iPhone. Although the incident caused no harm, it was a huge policy violation, and the credit union ended up changing cleaning crews, McDanell said.

USPS FCU's McHugh said USB Defender provides the ability to allow exceptions. The organization's CEO, for example, can load a USB storage device on the network but only with his login.

"It ticked off a lot of the staff when they found out they couldn't hook up their iPods anymore," McHugh said. "It enforces the policy you have in play."

The credit union sends all its TriGeo traffic into a SQL Server database running on a VMware ESX Server for long-term storage. With 250 gigabytes, the organization expects to get two years worth of information cataloged on it, and using a virtual server keeps costs down, McHugh said.

McDanell plans to budget next year for external data storage for the TriGeo, and is considering TriGeo's InDepth appliance. The way PFCU has it set up now, reports are pulled directly from the SIM, which can take time, especially for detailed reports, he said. The InDepth appliance archives the SIM data and allows for a deeper look at network activity, he said.

There are some initial growing pains when first implementing a SIM because building rules for it can be time consuming, McDanell said. "Once it's set up, it's wonderful," he added. "You have a pretty clear picture of what your network looks like."

Tags: Auditing, testing and assessment for financial services compliance,  IT disaster recovery planning and management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Auditing, testing and assessment for financial services compliance Vendor audit and monitoring contractual rights Audit requirements drive demand for privileged account management Regulatory reform will require much work ahead Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment Federal examiners need to pay more attention to IT risks PCI certification isn't always the right answer Forensic accounting success depends on information security support The truth about vendor management Opinion: Why you should document your security policies IT disaster recovery planning and management Security benefits of virtual desktop infrastructures Five mistakes banks make in pandemic planning Swine flu puts spotlight on pandemic planning Swine flu reveals pandemic planning shortcomings Swine flu: Pandemic planning wake-up call Lessons learned: The LendingTree case Lessons learned: The Countrywide Financial breach Investigation management tools ease fraud pains Preparing for a pandemic Disaster preparedness: Staying up while everything else is down

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Big 4  (SearchFinancialSecurity.com) Common Vulnerabilities and Exposures  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary