Union Bank has deployed the usual array of enterprise security devices to keep customer information and transactions secure, including intrusion detection, tracking systems, and firewalls. But the bank quickly became overwhelmed with data, including reports, alerts and alarms, and couldn't keep up with al the information they were receiving.
So the company deployed enterprise management software from ArcSight to keep track of the effectiveness of its security software.
"We use ArcSight to collect the events from firewalls, intrusion detection systems, routers, and application events. What we do is bring them into a central realtime system and then I get the ability to report across all the layers of security on how well the security environment is performing," said Bob Justus, vice president and senior manager of corporate information security and IS/IT contingency for Union Bank. "It allows me to show the value of the different solutions that we have deployed."
The main value of the ArcSight software is to run security reports for senior management and the bank board of directors, Justus said. Deploying ArcSight is part of the IT department's overall policy of keeping upper management informed of enterprise network security. "It's been well-received," Justus said. "I've never had a problem with asking for something and being turned down, maybe because I always justify what I ask for."
The ArcSight software runs on a Linux server, and collects data on multiple security devices and applications across the Union Bank network. It collects and analyzes about 250,000 security events daily.
The international network includes locations in the U.S., Djakarta, Manila, Kuala Lumpur and Hong Kong. The bank has 10,000 employees, with a total of 60,000 accounts on different systems. It provides a range of Internet-based applications, including online banking, cash management and wire transfers, electronic statements, and 401(k) services. The bank has more than a million unique retail customers in addition to a large commercial portfolio.
"The software not only shows me the events that happened, but it also shows me the events that didn't happen." For instance, a Web server should never initiate an outbound TCP/IP connection to the Internet. If a Web server makes an outbound connection to the Internet, it should be preceded by an inbound request for information. The lack of an inbound request is an event that didn't happen, and a possible indication of a security problem under way.
One particularly valuable capability of ArcSight: it can replay security logs across the network in realtime, allowing the company to observe simultaneous events in different parts of the network which might appear innoccuous in themselves but, taken together, can demonstrate a co-ordinated attack under way, Justus said.
"Let's say somebody is doing a port scan. Probably that isn't too much of a threat. But not only did they do a port scan, they also tried to execute a command.exe from the marketing Web site, and not only that but the same person signed up for an account from the Web server, from the same exact source IP address, or they were trying to sign on with bad user Ids or passwords," Justus said. "So now I know that from this particular address there was a pattern of abuse, and I know that I am being targeted. Whereas, in isolation, someone might say that just using a bad user ID isn't significant, and port scans are a dime a dozen."
This article originally appeared April 7, 2003, on InternetWeek.com, thesource for enterprise news, features and analysis on the topics that matter to IT readers. Visit informationweek.com for more.