A credit union with 17 branches in Alaska found the right tool for logging, not of timber, but of its data assets, reports Greg Masters.
Resources running low is not something one usually associates with the state of Alaska, but that is exactly what happened at Denali Alaskan Federal Credit Union (FCU), the third largest credit union in the state. It wasn't a shortage of fish, game, oil or natural beauty that the full-service financial institution was faced with. Rather, it had outgrown the capabilities of its existing log management and security information event management (SIEM) system.
The Anchorage-based organization – which offers credit union, investment and insurance services, as well as mortgage and business lending – found itself in need of a solution to not only protect its assets, but that would also satisfy the mandates of the Federal Financial Institutions Examination Council (FFIEC), the National Credit Union Administration (NCUA), the Gramm-Leach-Bliley Act (GLBA) and the standards of the Payment Card Industry Data Security Standards (PCI DSS).
Denali Alaskan FCU, which manages $440 million in assets, operates with 300 employees in 17 branches in all major communities across the state, including Anchorage, Fairbanks, Juneau, Eagle River, Wasilla and Kenai. The challenge for Keith Bennett (left), the company's vice president, information technology, was to implement best practices to protect the company's information assets and those of its members.“With running a small network group, we needed a solution that was easily manageable, including the regular processes of adding/deleting/configuring devices, upgrading the software, being able to quickly research information, and to retrieve meaningful reports,” he says.
The information technology department that Bennett (left) manages has nine full-time and two part-time employees responsible for all operations, equipment and software as well as support. The department is broken down into a network team to manage the infrastructure, security and applications, a help desk group providing support, and a project manager.His entire network team got involved in the search for an upgrade. “I had both my network and server administrators looking at different solutions,” he says. “Since my admins will be the ones that perform day-to-day management of the system, as a group they were the ones to watch demonstrations, and physically install and test different solutions.”
Bennett worked with his team to ensure solutions met needs and to get their feedback of each solution, and then worked with the vendors to ensure that the solutions met needs in regards to security and compliance. Of the products they assessed, none monitored security, performance and configuration as part of an integrated solution. That made a solution from AccelOps stand out, he says.
“We needed a solution that satisfied the compliance requirements of our regulators, and one that we could more easily manage and scale,” he says. “All the log and SIEM products we looked at have the basic canned reports designed for regulatory compliance.”
With limited staffing, Denali needed a solution that was easily manageable, with out-of-the-box functionality, implementation, compliance coverage and scalability, he says.Additionally, the tool needed to be easy to implement, as well as support Denali's environment. “We are expanding our current security capabilities and general infrastructure,” says Bennett. “We also wanted to have more operational visibility and wanted to take advantage of netflow information. All of that increased the amount of event data and potential noise that we would need to filter to be more effective in monitoring security activity. We also wanted a system that would help automate our investigation and reporting processes.”
AccelOps met all these requirements, he says. In fact, he explains that the solution offered more useful functionality than what he and his team were first looking for from SIEM/log management products.What it does
AccelOps is an integrated data center and cloud service monitoring software. It is delivered as either an on-premise scalable virtual appliance solution or a hosted SaaS solution – both offering identical functionality. The entire system is accessed through a dynamic and web GUI.
The integrated platform monitors, alerts, analyzes and reports across performance, availability, security, change and business service management – enabling end-to-end visibility, operational efficiency, resource savings and managed service opportunity, says Scott Gordon, vice president, marketing and business development at Santa Clara, Calif.-based AccelOps.The AccelOps system has wizards that walk admins through the entire configuration and administrative processes. The platform supports popular devices, systems, security and applications sources and even custom sources. An automated network discovery facilitates configuration and monitoring.
It receives and automatically processes syslog, network flow and SNMP data, Gordon points out. It also obtains configuration, performance metrics, events and log data using common and vendor protocols, such as SNMP, WMI, MS-RPC, Cisco SDEE, Checkpoint LEA, JDBC, JMX, VMware VI-SDK, HTTPS, IMAP, IMAP over SSL, POP3, SSH and Telnet. All captured configuration, location, identity, status and incident data automatically populates and maintains an active CMDB (configuration management database). The CMDB also allows for logical grouping of relevant business or compliance assets to enable service-oriented management.
Deployment was considerably easier with AccelOps compared to what Denali had before, says Bennett. “It handles the workload well. The interface is responsive, query results and reports come back fast, and it can take a variety of log sources.”The installation as software operating on a virtual machine in VMware is very simple, he adds. “Once installed, we pointed our log data at AccelOps and provided AccelOps credentials to access and monitor different devices (such as the firewall) and systems. All implementations like these go smoother if you prep your environment. We found AccelOps discovery, configuration and management capability very automated and it supported our environment quite well.”
Bennett explains that he and his team saw value in a virtual appliance rather than the physical appliance approach.
“There was a benefit to using our existing VM implementation in that we could get up and running quickly and just expand capacity when we needed to," says. "Our previous hardware appliance capacity had been exceeded and a ‘forklift' upgrade was necessary. With AccelOps, that limitation doesn't exist. We can add processor and storage resources as we grow and not be concerned with updates that may not work with an older appliance. AccelOps also takes advantage of the VMware high availability features as well – that's a plus.”
AccelOps ships with an extensible knowledge base of dashboards, rules and more than 900 report templates, says Gordon. The system provides real-time event correlation, comprehensive historic analysis and compliance management. All the built-in rules and reports are mapped to best practices and compliance specifications. So, once the system is exposed to the environment, users can get immediate operational oversight and have all the pertinent information at their fingertips, rather than having to spend time, effort and access other systems to manually obtain and analyze a threat, violation or attack.Operational data, logs, network flow, events, health and other data is cross-correlated in real-time and historically and then presented through interactive and customizable dashboards, such as an incident dashboard and reports. Further, all the raw, normalized and incident data remains online to support real-time or historic search through a Google-like keyword search or structured search. Users can analyze real-time data or go back in relative or absolute time for months or years of analysis.
The entire implementation was operational very quickly and has a very logical web GUI, says Bennett. “Since it has rules, report templates and dashboards built in, we saw useful output almost immediately. My team does like working with the system and it is extremely easy to maintain. We definitely have more visibility across our network and we are getting value from all the details that it monitors.”Easy compliance
Like many of the other products Bennett and his team looked at, the AccelOps tool has rules and reports that directly support the compliance regulations. And Bennett appreciated the fact that his team didn't have to do any heavy lifting to support compliance.
“We can group assets in regard to a particular mandate, and the AccelOps rules and reports can easily be activated against the group," he says. "That is a useful feature. AccelOps also keeps track of more than just security alerts and access records. We also can document and verify configuration changes, patches, system issues, and more that also are relevant to compliance requirements. In addition, all the data that we capture is available for months, so if we need to, we can easily get into any detail that an auditor requests or go back in time to investigate an event. Also, in regards to compliance, AccelOps has case management built in, so beyond monitoring logs, we can open and track tickets to document events.”
"Financial service organizations may have broader compliance requirements and in many cases are more adverse to operational data, adds Gordon. “So they are less apt to select a SaaS approach.”Security priorities
As a financial institution, data security has always been a critical component of the job at Denali, and one Bennett says he and his team have always taken seriously. “We are continually watching what vulnerabilities are out there and frequently look at new technologies designed to combat the latest risks," says Bennett. Just some of the security measures that have increased over the past few years, he points out, include spam/virus filters, DMZ, firewalls, patch management, data encryption, intrusion detection/prevention systems, eliminating shared user accounts, no users setup as local admins, ongoing vulnerability assessments and penetration testing, complex password requirements, regular auditing of user accounts/permissions, server hardening, security cameras, clean desk policies, and regular staff training.
Staff education is one of his biggest means of combatting these threats, Bennett says. It is a continual job of balancing the ability for end-users to perform their jobs and his team locking down the network environment in such a manner that minimizes security risks.
Too, working with software vendors to keep them accountable for developing secure applications is another area of security Bennett and his team must maintain.“These days, CIOs are looking to achieve broader visibility to advance service-oriented management agendas, to expand cloud computing initiatives, and to achieve greater operational efficiency," says Gordon. “CISOs and information security managers also want to get more done with less, and have all the data available and the right tool to do their job more efficiently. Since our solution can optionally be purchased as just SIEM, just performance and availability management or both as an all-in-one solution – we offer greater cost benefit and easier justification for a monitoring platform that provides value across the IT organization.”
[sidebar]
Updates: Keeping current
The AccelOps virtual appliance is installed on VMware ESX or ESXi as a guest host with reserved resources, explains Scott Gordon, vice president, marketing and business development at the Santa Clara, Calif.-based company. It requires four cores, 8GB memory, 80 GB storage and to reference local or network-based storage via NFS. Storage capacity and resource requirements are available on the AccelOps website. So once the system is exposed to the environment, users can get immediate operational oversight and have all the pertinent information at their fingertips.
For the virtual appliance, users just download an image file and install. It can even be installed on a mirrored ESX server to make the update seamless. Once installed, the virtual appliance is ready to go and updates are automatically applied to remote site collectors. For just new devices, users can install a compiled XML file that automatically enables full device support without having to update the entire system.
For the SaaS version, AccelOps manages the AccelOps platform providing seamless updates during off-peak work hours with advance notification to users prior to updates, Gordon says. Since on-premise collectors have local data caching, no data is lost during the upload process. – GM