Incident Response, TDR

The SIM solution

Temping has become a time-honored way to make a living. It's a great way to earn a regular paycheck without all the commitments — set hours, limited time off, dealing with an irascible supervisor — of a full-time job. Companies benefit by hiring workers only when they need them, avoid incurring the costs of health benefits, and letting temps go without hassle in lean times.

But there's a bit of a dark side to the industry that only a few folks deal with on a regular basis: ensuring the security of the private and personal information of the hundreds of thousands of employees and companies temp agencies work with each year.

There's no way to put a pretty face on it. Temp agencies input and save personnel records of the temporary workers it hires, as well as the proprietary info about the projects for which its corporate customers hire temp workers. Suffering a loss of even a portion of this info would be devastating to all those involved, says Greg Kohl, vice president of IT infrastructure engineering and solutions, Kelly Services. Securing that info is crucial to ensuring not only the success of Kelly Services itself, but the reputation of its corporate customers and temps, explains Kohl.

“Information security is critical to our business,” he says. “We have a large amount of information not only on our temps, but customers — what they spend with us, information about what customers do with their temporary help. They may be working on clinical trials for new drugs, for example, and it's not something they want the public or their competitors to see.”

Kohl and his staff at the Troy, Mich.-based company have turned to a security information management (SIM) product from Reston, Va.-based Intellitactics to help safeguard their data stores. “The SIM system allows Kelly Services to control and understand what's going on in our environment, and to collect all security-related audits and simplify that down to actionable events,” explains Kohl.

Kelly Services is now able to more quickly answer who did what when during forensics investigations of potential security leaks. And, in what may seem to some a “Big Brotherish” type of strategy, Kelly Services also relies on the SIM solution to let its own employees know management is watching what they're accessing at what time, says Kohl.

Compliance and new features
The products in the SIM marketplace, as the Kelly Services deployment aptly illustrates, have undergone a major shift in focus in the past two years, according to vendors and analysts. Managing devices on the network perimeter is no longer the priority.

Traditionally, enterprises used SIM products to collect, aggregate and analyze logs from network perimeter devices — firewalls, intrusion detection and prevention systems (IDS/IPS). And they're still doing that.

SIM tools — from the likes of ArcSight, CA, Cisco, Consul, elQnetworks, IBM, Intellitactics, NetIQ, netForensics, Novell, Symantec, TriGeo and others — give security administrators the ability to correlate threats and policy violations across their enterprises. They can use the information to prioritize those incidents and make certain they take the proper corrective measures.

Compliance has become the principal driver in the deployment of SIM technologies, says Scott Crawford, a senior analyst in the Enterprise Management Associates security and risk management group. Whether it's to meet regulatory standards or merely to satisfy internal policies, enterprises have expanded their use of SIM tools to embrace what is increasingly called governance/risk/compliance (GRC) management, he explains.

“SIM has become more than a security solution,” Crawford says. “The goal of SIM is to aggregate, consolidate, rationalize and correlate information from security solutions to prioritize events and improve the signal-to-noise ratio of security management. That's the primary objective of risk management, and it's been one of the trends that's driving the security event management marketplace.”

As they've become comfortable with SIM products, enterprise security professionals have begun looking to expand what they can do with them, agrees Diana Kelley, a vice president with the Burton Group. “They're looking at things in specific applications, hoping to prevent content or data leakage.
Most notably, users' compliance-related demands are now driving [SIM tools] to look at user network activities and correlating them to other events, such as access to databases and other applications, says Kelly Kavanagh, a principal research analyst with Gartner. He says that enterprises are using SIM tools to investigate and correlate a wide range of security-related events.

Burton Group's Kelley agrees. “They're getting a picture of what users are doing on their networks at any given period of time, rather than just analyzing firewall or router logs,” says Kelley. “They're getting a sense of what ‘Jim' did today — what databases he accessed, and looking at more complex views of what's going on.”

For example, a SIM tool could analyze the types of accesses network and database administrators are making, then get a report that someone has made unauthorized Active Directory changes or escalated a user's access rights without authorization. Then, it might see an IDS alert triggered by some form of perimeter attack.

“All those correlated together could suggest that an exploit from the outside took advantage of a vulnerability on a server,” Crawford explains. By generating a real-time alert of those types of activities, SIM tools can catch and stop potential breaches before they happen.
The SIM tools' ability to deliver that level of correlation is bringing new buyers into the market, Kavanagh says. “That means the traditional vendors in the space have been pushed to roll out new functionality.”

He notes that Symantec, for instance, has released a log analysis appliance, as has RSA, now a subsidiary of EMC. These products are not only full-featured, he said, but, because they're appliances that you plug into the environment, they're so easy to deploy.

That has opened SIM implementations to small-to-medium enterprises (SMEs), that have previously sat on the sidelines because of the complexity and costs of the first generation of SIM solutions.

Overriding umbrella
“Security is an overriding umbrella for everything we do,” says Kohl. “It's an important part of our business, not just to be compliant, but also to understand that our data is important, not just to our customers, but temporary workers.”

Two factors inherent to the temp-staffing industry complicate the data security challenge for companies such as Kelly Services. Both have to do with the fluid nature of the temp industry.

“We have about 10,000 full-time employees and 750,000 temporary workers worldwide,” says Kohl. “We're in an industry where people come in and leave organizations regularly. Because the barriers to entry to the staffing industry are minimal, all you need is customer contact information and people willing to work for them. It would be damaging to our business if someone walked away with our information.”

Those problems put a premium on ensuring data doesn't stray through an unauthorized access. That's where the SIM tool comes in.

Deploying Intellitactics' Security Manager SIM solution with the SAM Executive Dashboard added another layer of security to that data — housed primarily on an Oracle database.

“It was really an extension of all that we'd been doing,” Kohl says.

Finding the right solution
In 2006, Kohl and his staff of five full-time security professionals started a more aggressive review of the different SIM products in the marketplace. “We saw vendors bringing out more advanced tools to turn basic data into information.”

During the evaluation, Kohl worked with research firm Gartner to help understand what's in the market, who the leaders are and what their future looks like.

Kelly Services asked the various vendors to be pointed in their response to questions, then walk them through their proposals in detail, says Kohl. “We asked questions back and forth, so they fully understood our needs, our requirements and what features we had to have. It was not a beauty contest, but an organized, methodical review,” Kohl explains.

Although the Intellitactics product made the cut for several reasons, there was one overriding factor.
“They were clearly the most open to enhancements. They were willing to sit down and understand our challenges so they could improve their product where it was less mature,” says Kohl.

In the final analysis, the SIM tool's value to Kelly Services goes beyond merely securing its key customer and temp data.

“We look at our brand name as being synonymous with quality and integrity, and security is obviously a big part of maintaining that,” says Kohl. “All of our security practices are set up to support that, and the more we can do and the quicker we can do it is certainly part of our vision.”

SIM moves 'down market'

A major shift of products targeted “down market,” to small to medium enterprises (SMEs), is one of the key trends within the security information management market itself.

“As [the SIM products] get better, and as the technology starts to meet the promises made about it in the 1990s, we've seen a democratization of the technology,” says Nick Selby, the director of enterprise security practice at the 451 Group. “It's now possible to buy products that are capable of delivering highly sophisticated enterprise metrics in real time and provide event correlation at a much lower price.”

Still, these products may not have the “breadth of functions and capabilities in feeds and speeds in comparison with some of the early tools, such as those from Intellitactics and ArcSight,” says Gartner analyst Kelly Kavanagh. But, those latter products are fairly complex to implement, he says, and thus unsuitable for SMEs without highly trained security professionals.

Among those developing products for this market are LogLogic, High Tower Software, TriGeo and Q1 Labs.

These products offer easier deployment — often by delivering SIM in an appliance form
factor rather than large-scale software application — simpler configuration, and lower costs than the SIM systems from vendors such as IBM, CA, Network Intelligence, and others.

Ease of use was the deciding factor behind Wayne State University's deployment of one of the new SIM appliances — Q1 Labs' QRadar — according to Nathan Labadie, a senior systems security specialist at the Detroit school. “We were looking for a way to take data from all our 12,000 network devices and tie it into one place,” he says.

Installing and configuring QRadar required just pointing the logs from the firewalls and intrusion detection systems on its network to the [QRadar] box. “It automatically started processing information,” he says.  “Now we can go to the web interface to see where possible problems are on the network,” he adds.

This was a far cry from when Labadie first examined the SIM market two years ago. Then, he tested Cisco's security monitoring, analysis and response system (MARS).

“When we tried MARS, it worked to an extent,” he recalls. “I didn't think the technology was mature enough to pursue it. The interface didn't work right, and it didn't feel like it was a polished product at that point. Then again, the market was relatively new.”

That has changed, however. The SIM products have a richer set of features and functions. “There's a huge difference now from the products of a few years back,” says Labadie.
— Jim Carr

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.