Server Psychic? No, just SIEM savvy

The CIO-level business angle on the latest tech

When a server is sluggish in Singapore, or a virus invades in the United Kingdom, Californian Michael Chapman knows it almost instantly. No, he's not the Server Psychic from the Science Channel; he just knows how to make good use of his log and event management tools.

Chapman is director of Digital Security and Technical Operations for the West Coast division of Ascent Media Group, a media conglomerate comprised of some 60 companies around the world. Chapman's extra-long title means he serves multiple roles for his employer. His digital security role holds him responsible for network security and the protection of Ascent Media's digital assets -- which happen to be the company's crown jewels. His technical operations role requires oversight of the corporate IT infrastructure, and by default, that makes him the guy responsible for IT compliance with the Sarbanes-Oxley Act (SOX).

11 security companies to watch

It was the need to meet SOX compliance that led Chapman to look for a log management system that could span the enterprise, which includes all 60 or so semi-independent companies. Because they are all under the Ascent Media corporate umbrella, their log data must be consolidated for SOX reporting purposes. That's quite a challenge when the companies and their computing devices are in more than 40 facilities worldwide, in places such as New York, London, Singapore, Atlanta, and Burbank, Calif.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

When a server is sluggish in Singapore, or a virus invades in the United Kingdom, Californian Michael Chapman knows it almost instantly. No, he's not the Server Psychic from the Science Channel; he just knows how to make good use of his log and event management tools.

Chapman is director of Digital Security and Technical Operations for the West Coast division of Ascent Media Group, a media conglomerate comprised of some 60 companies around the world. Chapman's extra-long title means he serves multiple roles for his employer. His digital security role holds him responsible for network security and the protection of Ascent Media's digital assets -- which happen to be the company's crown jewels. His technical operations role requires oversight of the corporate IT infrastructure, and by default, that makes him the guy responsible for IT compliance with the Sarbanes-Oxley Act (SOX).

11 security companies to watch

It was the need to meet SOX compliance that led Chapman to look for a log management system that could span the enterprise, which includes all 60 or so semi-independent companies. Because they are all under the Ascent Media corporate umbrella, their log data must be consolidated for SOX reporting purposes. That's quite a challenge when the companies and their computing devices are in more than 40 facilities worldwide, in places such as New York, London, Singapore, Atlanta, and Burbank, Calif.

Chapman has found one security information and event management tool that serves his needs for all of his roles. Ascent Media uses LogRhythm log and event management appliances to meet their SOX compliance requirements and improve security and operations throughout the entire enterprise. Chapman chose LogRhythm because it is architected to support a geographically dispersed enterprise. I talked with him about how he uses this tool to gather log data from every far-flung device and bring it into an event console that he calls his "single pane of glass." Through this console, Chapman can see any security or operations problem that requires attention.

Ascent Media's solution is comprised of two types of components: a log manager and a console appliance called the event manager. The company has placed one log manager in each of its four major geographic locations (U.S. East Coast, West Coast, the United Kingdom and Singapore). The lone event manager console is in Burbank, Calif.

Each regional log manager receives all the log data from the agents installed on various devices within a geographic region. An agent is capable of reporting for itself locally on the box it is installed on, and it also is capable of doing remote collection from other devices. With this capability, Chapman says he doesn't have to buy an agent for every single device. Instead, he can have an agent installed on a machine and have it remotely collect logs from devices that are in its vicinity.

The log data from all the field devices is consolidated at the log manager level, where it is classified according customizable rules. Anything that is classified as an "event" or an "alarm" is funneled through to the central event manager in California. An alarm is generally something that requires attention, such as a device failure. An event is something that may or may not be significant, but it warrants further watching or investigation. An example would be a SQL read error, which often resolves itself. In such a case, Chapman watches to see if numerous events pertaining to the same situation occur within a few minutes. If so, then there's a genuine problem to investigate.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.