In-Depth

Case Study: Law Firm Isolates Potential Threats

Office uses one-stop monitoring for attacks and vulnerabilities

• By Mathew Schwartz
• 09/15/2004

That was the situation faced by Adam Hansen, manager of information security for Sonnenschein Rosenthal & Nath LLP, one of the largest law firms in the United States. Hansen largely built the firm’s information security program. His first challenge upon arrival: “There was a lot of technology. However, there wasn’t a whole lot of infrastructure to manage the technology,” he says.

Hansen couldn’t just staff up to start watching all of the products’ logs for signs of attack. “We’re about 2,000 people across 10 different organizations and my group … [of four people has] crossover with physical security. I can’t go and ask for eight people to go and manage all my IDS [intrusion detection system] boxes,” he says.

To get a handle on all of the data being generated, Hansen wanted a product to consolidate his view of logs from such must-have security technologies as firewalls, IDS, antivirus, as well as custom scripts he runs, and alert him when something looked amiss. In short, Hansen wanted to improve network monitoring, ease security product management, and keep head count steady.

The law firm narrowed the choices to two organizations, one of which was Security Threat Manager 2.0 from OpenService Inc. (Open). “They physically sent someone out here,” says Hansen. “When that person got here, they ran through everything with us. It couldn’t have been any easier process—they made the process of implementation and the proof of concept extremely easy.” By contrast, he says, the other organization—which he declined to name—wouldn’t do an on-sight proof of concept for the law firm.

About a year ago, the law firm moved the OpenService proof of concept into production, which took about five days, and it’s been maintaining and upgrading it ever since. Now, one of his staff is also largely free to tackle other requirements—such as patch management—that Hansen’s group also oversees.

Point sensors, or agents, run on every security device, whether it’s an IDS, firewall, or a PC or server running antivirus software. Correlating what they see lets organizations garner more usable information and better prevent false alarms. Today “we’re approaching 40 agents deployed—servers, appliances, custom written scripts, syslogs,” Hansen says, which collectively note 6-to-10 million events per week. Yet by correlating events, “we were able to correlate all those events down to 23 essential alerts.” Those alerts are further subdivided into categories and, in the end, typically two categories merit investigation in a 24-hour period.

Correlation lets organizations filter raw logs into more useful information. For example, “you might have a correlation between an IDS and a firewall log, and you might have had a server drop because it was hit hard. … Under traditional circumstances, you’d have three different events, but this correlates, so there’s one,” notes Hansen.

“Really what all these correlations are is real-time triage,” made possible by determining in advance which machines belong to which lines of business, and which are the most important, says Phil Hollows, Open's vice president of Security Products. “Now you can look at exposures, attacks coming in, and say 'Based on what I see, here’s what I’ll focus on,'” he says. So “it’s the focus on the management side of things rather than the technology side of things.”

Furthermore, by processing logs in real time, “we identify threats before they become compromises.” He recognizes that organizations must keep their point sensors up to date for the best results, and also gather information from as many places as possible. “The more data sources you have leading into it, the more intelligent and valuable the data intelligence that comes out.”

Based on Hansen's experience, “the key is to train the correlation,” since without training, the product won’t be much better than a log manager. In an average week, he says, three hours are spent training Open, a minimal investment “given the volume of logs we’ve got.” Such training is mandatory, especially to cut false alarms. “If you take time to refine the product, you’re going to consistently get more value out of the product.”

One feature Hansen likes in Open is the support for Snort, an open-source IDS he also uses. “Imagine having two redundant IDS systems going at one time—you're not going to sleep. But if you start piping the information through this product … it’s smart enough to correlate it all.” Currently he runs Snort in silent mode—it doesn’t flash alarms—but feeds its data into Open. So if there’s a correlation between Snort and Open, “it tends to get prioritized,” he says.

Open recently released version 3 of Security Threat Manager. The new version adds Red Hat (for Windows or Solaris) compatibility, and integrates with Addamark’s Scalable Log Server, which consolidates and watches logs for signs of attack. One enhancement includes the ability of second- or third-tier operations staff to invoke predefined actions. For example, if the night shift sees a virus or worm attack looming, it can block the attack in prescribed ways, but not otherwise address the problem without paging the on-call security expert.

For organizations considering event consolidation software, Hansen recommends organizations also “include adequate professional services” in their contract, based upon the experience of his peers who didn’t opt for it. “For what you pay, you’re expecting this thing to make you toast in the morning, and if you don’t have professional services in place or a sound project methodology, you’re going to be in a world of pain."

Related Articles

Security Event Management: It Pays to be Proactive
http://esj.com/news/article.asp?editorialsId=1002

Dispelling Log Data Retention Myths
http://www.esj.com/news/article.asp?editorialsId=965