No back door
Compiling logs of network security events is easy, says Tony Vincent, Symantec's lead global security architect. What's tougher is converting the logs to usable information.
Henrik G. de Gyor
One Army center outsources its network security
Laura Vaglia, networking chief for the Army's Community and Family Support Center, says she sleeps easier now but still gets some 3 a.m. pages about network emergencies.
Laura Vaglia, networking chief at the Army Community and Family Support Center, has a goal: 'Not to be a back door to the NIPRnet.'
The center, which provides morale, welfare and recreation services for active and reserve soldiers, retirees and their families worldwide, is largely self-funded. It receives only a small allotment from Congress for its office overhead.
That leaves few resources to secure its network.
'We don't have any secrets,' Vaglia said. 'But we are dot-mil' and therefore connected to the Defense Department's Nonclassified IP Router Network.
CFSC, headquartered in Alexandria, Va., runs child-care centers, libraries and recreational facilities around the world. It also operates hotels in Orlando, Fla., Hawaii, Germany and South Korea. Most of the operations are funded by fees, which must be kept low.
Tying these services together is a relatively small network of about 1,000 nodes. With firewalls, antivirus and intrusion-detection products in place, the security management got out of hand.
'My support staff works an eight-hour day, but we have a 24-hour mission,' Vaglia said. 'The amount of information that was coming in was overwhelming. We didn't have the experience in looking at it.' Furthermore, she added, 'Keeping information assurance specialists around after we've trained them isn't easy.'
The answer was to turn the job of monitoring security devices over to experts. For the last year, CFSC has been using Managed Security Services from Symantec Corp. of Cupertino, Calif., in effect getting a full-time staff to keep an eye on data generated by security products.
Gathering logs of security incidents'or potential incidents'is easy, said Tony Vincent, lead global security architect at Symantec's security operations center in Alexandria.
'Converting log data to useful information is where the tough job is,' he said.
The Virginia security operations center, the largest of the company's five SOCs around the world, monitors about 4,500 of its customers' security devices, generating about 500 million log entries or alerts each day.
Vaglia said her small network alone contributes about 1 million of those entries each day'a small percentage of the total, but more than she and her staff could handle.
Log entries come from firewalls, intrusion detection systems and other security devices about legitimate activities, as well as suspicious ones.
Most of these entries require no action. But an automated Symantec analysis culls some 250,000 to 600,000 possible attack elements each day that merit a closer look. It further distills them down to about 1,600 probable attacks each day for examination by human analysts.Early warning
In addition to monitoring each client's activity, Symantec looks for correlations in the 70T of threat data it maintains, which can sometimes give early warning of malicious activity before it reaches a threshold level on any one system.
Symantec monitors and manages devices from most IT security companies, not just its own.
'We have a Symantec firewall,' Vaglia said, 'but our intrusion detection is from Internet Security Systems' Inc. of Atlanta. 'We have two other firewalls from NetScreen' Technologies Inc. of Redwood City, Calif.
Symantec monitors the ISS RealSecure Network IDS and expects to begin monitoring the NetScreen firewalls soon.
Vaglia said the managed services seem to be working. 'We haven't had any major exploits,' she said.
During the spread of the NetSky worm in February, an infected attachment got into the center's network and was opened before antivirus signatures were available. 'We got an alert from Symantec that we had an infected machine,' Vaglia said. Firewalls contained it before the worm could spread, saving the center from the embarrassment of becoming a source of infection for the rest of DOD.
Government facilities have specific requirements for managed security. Privacy concerns, treatment of log data, staffing and location of failover facilities are spelled out specifically by government policy, which often differs from that of commercial customers, Vincent said. 'Their requirements aren't really any harder, they're just different.'
Because the center is part of DOD, Symantec's services are on a strictly 'Look, but don't touch' basis. The company monitors but does not manage the center's network.
That does not mean Symantec can't offer advice, however. When the center made a firewall policy change that inadvertently exposed its printers to the Internet, the security staff noticed the change. Vaglia still is responsible for her network's security and is liable to be paged at 3 a.m. in case of problems. But she now feels confident that security problems can be handled.
'I have a warm, fuzzy feeling,' she said. 'I have more confidence in our security layers than I had before.'