Lee A. Kadel, information security analyst at Wheaton Franciscan Services Inc. (WFS), oversees security at the nonprofit's data center in Glendale, Wis., as well as connections to its 17 hospitals and more than 70 clinics in Colorado, Illinois, Iowa and Wisconsin. He was running nearly 100 security devices, including firewalls, intrusion-protection systems (IPS), virtual private network (VPN) concentrators and authentication servers, but had no way to gain overall insight into the security status of the network.
"We had to manually review the firewalls, manually review the VPN logs and monitor the security logs on the authentication servers," says Kadel. "There were some devices we couldn't manage easily because the volume of event log data was just too great."
Like many other security managers, Kadel found that by installing a security information management console, he was able to cut down the monitoring workload and isolate threats earlier, as well as reduce downtime by discovering configuration errors.
Limited Dashboards
To bring security and reporting up to the level required for compliance with the Health Insurance Portability and Accountability Act, Kadel installed Edison, N.J.-based netForensics Inc.'s nFX Open Security Platform on five servers in an isolated storage-area network environment. NFX agents receive or collect the data from WFS's security devices. The data is translated into a common database format for storage, analysis and reporting.
"I have a dedicated monitor on my desk, so I can see the state of our network security at any given point in time," Kadel says. "It has given us greater visibility and better reaction time."
Some software vendors sell products called dashboards that are in fact just central management consoles for particular security products. But that doesn't mean that such products aren't helpful.
For example, New York Community Bank uses CA Inc.'s Integrated Threat Management R8. ITM unifies CA's PestPatrol Anti-Spyware Corporate Edition and its antivirus software into a single console. The bank uses ITM to centrally manage 3,500 desktops at 170 branches in the greater New York area, as well as its servers. With ITM, help desk staffers can remotely scan the workstations rather than having to travel to a site and do it manually.
"Each branch has its own server and PCs," says Assistant Vice President Dan Koppelman. "It has saved us a lot of time and costs, not having to keep IT staff on the road going from PC to PC."
But unlike nFX, such a console can't be considered a true security dashboard.
"This dashboard can be called a vulnerability management dashboard or antivirus dashboard, but not a security dashboard," says Khalid Kark, an analyst at Forrester Research Inc. "A real security dashboard would need to look at security controls in a comprehensive fashion and generate reports on it."
Koppelman has evaluated going to a more complete dashboard but says that what he has now meets his company's needs. But at VeriSign Inc. in Mountain View, Calif., a higher degree of control is needed for protecting the root servers for the .com and .net domains, as well as providing managed security services to thousands of enterprises. VeriSign must protect thousands of production and enterprise servers and hundreds of firewalls and intrusion-detection systems (IDS).
"There were too many places to look for information," says Ken Silva, VeriSign's chief security officer. "The idea is to centralize that into a common console so you really have only one place to look."
VeriSign selected a security management suite from OpenService Inc. in Marlboro, Mass., because of its extensibility. It provided about 80 percent of the needed functionality out of the box.
"We had the whole system up in about two weeks, and most of that time was spent fine-tuning for the other 20 percent that it didn't do out of the box," Silva says. "There are some events that we uniquely have at our company that obviously couldn't be preprogrammed into the system."
The system pulls information from the server monitoring service, in-house applications that monitor the domain name service and IDS, IPS, firewall and router logs. All events are sent to a central Unix box that correlates them and synthesizes them into a common event.
Silva reports that network operations center staffers now monitor only a single console instead of a dozen, and they no longer have to dig through several logs to find what is triggering an event. They have been able to reduce mean time to detection by 30 percent to 50 percent.
"If done well," says Kark, "a comprehensive security dashboard can not only save a tremendous amount of time and effort for the organization, but also helps security managers get more visibility into their security posture."
Robb is a Computerworld contributing writer.