"Being a university environment, we pride ourselves on trying to keep an open network for research and collaboration," said Morris Reynolds, director of information security and access management at Wayne State University. "But we also have a need to keep things as secure as possible without affecting productivity."
Mike Rothman, president and principal analyst with research firm Security Incite, puts it more
For years, Reynolds' staff relied on manual monitoring of network activity to make sure nothing malicious was occurring. Unfortunately, Reynolds' security staff consisted of two full-time employees. Manually monitoring firewall logs and other data streams produced by the 50,000 hosts on the university's network was not realistic.
"We just did not have sufficient resources to do an effective job of managing everything," Reynolds said. "We did not have effective tools that would alert us to what was going on and help us isolate the problem down to its primary sources."
Graydon Huffman, senior systems security specialist for Wayne State, said he would try to keep on top of things by doing TCP dumps to see what kind of traffic was traversing the network. From there, he would try to narrow potential vulnerabilities by doing en-masse scans to see which ports were open, and he would look to see whether those ports were repeatedly hitting hosts, such as an FTP server. From there, he would have to track down whom the host belonged to.
"And even then, after spending all that time, you might find out it was bona fide traffic," Huffman said. "[The network] was kind of a black hole for us. We could see the outside edges of it, but we never knew what was going on inside."
Recently, Wayne State adopted QRadar, a SIEM platform that monitors network activity from multiple silos and correlates the information gleaned from that activity into one console.
"We needed something that actually correlated events between different devices," Huffman said. "And then, from the traffic that was produced on the network, it could notify us and prioritize exactly what we needed to look at, rather than having us look for that needle in a haystack."
Rothman of Security Incite said that SIEM-type technologies are fostering an organizational evolution within information security, making security much more of an operational capability that resides in the network team. He said organizations can collect massive amounts of information with SIEM technologies. Then, individual security and network teams can use specialized applications built on top of those platforms to perform specific functions, such as compliance reporting, network behavior analysis and forensic analysis.
"Security management platforms over time are going to be pretty instrumental in helping security professionals and network security people get much more leverage and become much more efficient at what it is they've been asked to do," Rothman said.
At Wayne State, security remains operationally separate from the network organization. However, more than a dozen members of the IT organization are using QRadar.
"Our network people use it for looking at some of the traffic stats," Huffman said. "They use it to kind of validate any issue going on in the network."
QRadar is monitoring firewall activity, various authentication systems, student portals and the wireless LAN traffic, and pretty much anything that happens on the network, Huffman said. More importantly, QRadar correlates that information and associates it with Layer 7 traffic so that network security professionals can see what types of applications are generating the traffic QRadar observes.
"QRadar is finding things on our network that we never knew existed," Huffman said. "It allows us to drill into Layer 7 and actually see exactly what's going on. When you're bouncing some type of malicious traffic over Port 80, everything else is going to look like Web traffic. QRadar can tell you exactly what's going on inside that packet."
The product immediately detected quite a few hosts that were controlled by botnets, he said. It also detected individuals scanning the university's honeynet, a network with intentional vulnerabilities aimed at attracting malicious traffic so that it can be identified. QRadar was able to detect similar vulnerability scans hitting the production network, Huffman said -- attacks that in the past had gone undetected.
"They're also scanning our production network and actually getting through," he said. "Sometimes, a certain network will be allowed to get to certain hosts using Exchange servers or file servers. That would not normally be picked up. But since it hit the honeynet and also hit the production network, we recorded that and we can see that traffic as malicious. Whereas, if we just looked at the firewall, we would never see it. It would just look like a valid connection."
"It allows us to be a lot more responsive in taking decisive action in remediating some of the problems we're seeing," Reynolds said. "Ideally, we'd love to catch 100% of the problems and vulnerabilities that are out there, but that's not going to happen, based on just sheer magnitude. But it's putting us in a position to be alerted when suspicious activities or footprints are noted on the network."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor