Security information management helps the U.S. Mine Safety and Health Administration tighten security.

Mining SIM

Security information management helps the Mine Safety and Health Administration boost its security score from F to B.

In late 2004, a version of the Welchia worm hit the Mine Safety and Health Administration network, its ping of death disabling 17 remote offices in an hour. That’s when George Fesak knew he had made the right decision to invest in security information management ().

“It took less than three hours to block the Welchia traffic, quarantine the 298 infected machines and restore connections to our 17 field offices,” says Fesak, who is director for Program Evaluation and Information Resources (PEIR) at MSHA, a U.S. Department of Labor (DOL) agency in Arlington, Va. “Right there was the ROI. I remember when ILOVEU tore through here without SIM in place. It took us four or five days to get our people back to work.”

Using netForensics’ nFX Open Security Platform, MSHA security engineers and network administrators can see security events as they unfold, changing security configurations. The system integrated with MSHA’s , firewalls, routers and devices to take network event information for analysis and correlation. Using nFX wizards to create agents for MSHA’s critical business servers, administrators created role-based connectivity for departments requiring access. In this way, the security, operations and applications groups can get correlated intelligence on the gathered data as needed.

Fesak credits much of MSHA’s success to Syed Hafeez, information systems security officer for the agency. Since 2001, Hafeez has worked with the organizational business units to raise awareness and involve the business in structural security upgrades. In March 2003, Hafeez undertook the SIM project, completing Phase I (security device integration) and Phase II (server integration) in October that year.

SIM has had a major impact on MSHA’s security ratings. Less than one year into the deployment, MSHA’s security score within DOL increased to an “all green.” This in turn contributed to the DOL’s overall Federal Computer Security Compliance Scorecard grade, issued by the Office of Management and Budget, rising from F to B. The effort also lifted MSHA’s security scores from low to one of the best at the agency level using that scorecard, says Jay Mattos, MSHA’s deputy director.

“This project honed in on being able to supply security awareness at multiple technical and business levels in real time, without an entire SOC [security operations center] infrastructure added on,” Hafeez says. “Now, security, operations and application groups have a comprehensive view of security data in any configuration they need.”

For such drastic improvements in security awareness, compliance and management, without the major cost of building a SOC, MSHA earns 2005 Enterprise All-Star recognition.

New guidelines and standards

The SIM project flowed out of the DOL’s 2003 adoption of a governance process for its enterprise architecture, done in part to meet Federal Information Security Management Act (FISMA) guidelines for recommended security controls. Based on the National Institute of Standards and Technology standards, FISMA’s regulatory compliance directive dictates enforcement, accountability, and consistent reporting policies and procedures on three years of retained event log data.

But MSHA, with nearly 2,300 users spread over 100 offices nationwide, was logging 2G bytes of security event data every hour just on its firewalls, let alone its other security devices.

“MSHA runs very lean. We did not have the budget for an expensive SOC to manage all the security data. And it’s not humanly possible to watch raw data and mentally correlate it in real time, so we had to architect an environment that relied on centralized automation with minimal security-specific skill sets,” Hafeez says. Automation leverages current resources and skills, he adds, and SIM was the least costly way to absorb security into the network management infrastructure.

A configuration board, comprising managers responsible for security, operations and applications, spearheaded the SIM project. All board members participated in the SIM tool selection.

“Most of the SIM tools at that time were too complex and lacked the integration, incident response and reporting features we needed,”says Hafeez, who settled on nFX (which starts at $40,000 to cover 10 servers) because of its real-time notification and seamless integration with MHSA’s existing security technologies.

The SIM project paid for itself not only by streamlining event discovery and mitigation but also because it aggregates raw event information for more efficient storage – easily helping MHSA meet the three-year retention mandate, Hafeez says. With real-time correlation on actionable events, the SIM project also has been successful at involving the business units in making informed decisions as events unfold.

For example, after evaluating the SIM data taken from the Welchia virus, MSHA realized it needed to audit and review firewall rules periodically and to better protect the 1,200 remote laptops used by field inspectors and trainers logging in from insecure access points around the world. So Hafeez’s team streamlined and automated patch management using Shavlik Technologies’ HFNetChk Pro and Microsoft Systems Management Server, implemented a remote access policy using Juniper Networks’ SSL VPN gear and is working toward deploying Sygate On-Demand software for laptop security policy enforcement.

“Just being in paper compliance doesn’t do much for actual security,” Mattos says. “With Syed’s guidance, we understood we needed automated assistance to augment and correlate the stand-alone security systems we already had in place. We needed a SIM solution.”

Radcliff is a freelance writer in Northern California. She can be reached at deb@radcliff.com.

| Next industry: Healthcare >

In late 2004, a version of the Welchia worm hit the Mine Safety and Health Administration network, its ping of death disabling 17 remote offices in an hour. That’s when George Fesak knew he had made the right decision to invest in security information management ().

“It took less than three hours to block the Welchia traffic, quarantine the 298 infected machines and restore connections to our 17 field offices,” says Fesak, who is director for Program Evaluation and Information Resources (PEIR) at MSHA, a U.S. Department of Labor (DOL) agency in Arlington, Va. “Right there was the ROI. I remember when ILOVEU tore through here without SIM in place. It took us four or five days to get our people back to work.”

Using netForensics’ nFX Open Security Platform, MSHA security engineers and network administrators can see security events as they unfold, changing security configurations. The system integrated with MSHA’s , firewalls, routers and devices to take network event information for analysis and correlation. Using nFX wizards to create agents for MSHA’s critical business servers, administrators created role-based connectivity for departments requiring access. In this way, the security, operations and applications groups can get correlated intelligence on the gathered data as needed.

Fesak credits much of MSHA’s success to Syed Hafeez, information systems security officer for the agency. Since 2001, Hafeez has worked with the organizational business units to raise awareness and involve the business in structural security upgrades. In March 2003, Hafeez undertook the SIM project, completing Phase I (security device integration) and Phase II (server integration) in October that year.

SIM has had a major impact on MSHA’s security ratings. Less than one year into the deployment, MSHA’s security score within DOL increased to an “all green.” This in turn contributed to the DOL’s overall Federal Computer Security Compliance Scorecard grade, issued by the Office of Management and Budget, rising from F to B. The effort also lifted MSHA’s security scores from low to one of the best at the agency level using that scorecard, says Jay Mattos, MSHA’s deputy director.

“This project honed in on being able to supply security awareness at multiple technical and business levels in real time, without an entire SOC [security operations center] infrastructure added on,” Hafeez says. “Now, security, operations and application groups have a comprehensive view of security data in any configuration they need.”

For such drastic improvements in security awareness, compliance and management, without the major cost of building a SOC, MSHA earns 2005 Enterprise All-Star recognition.

New guidelines and standards

The SIM project flowed out of the DOL’s 2003 adoption of a governance process for its enterprise architecture, done in part to meet Federal Information Security Management Act (FISMA) guidelines for recommended security controls. Based on the National Institute of Standards and Technology standards, FISMA’s regulatory compliance directive dictates enforcement, accountability, and consistent reporting policies and procedures on three years of retained event log data.

But MSHA, with nearly 2,300 users spread over 100 offices nationwide, was logging 2G bytes of security event data every hour just on its firewalls, let alone its other security devices.

“MSHA runs very lean. We did not have the budget for an expensive SOC to manage all the security data. And it’s not humanly possible to watch raw data and mentally correlate it in real time, so we had to architect an environment that relied on centralized automation with minimal security-specific skill sets,” Hafeez says. Automation leverages current resources and skills, he adds, and SIM was the least costly way to absorb security into the network management infrastructure.

A configuration board, comprising managers responsible for security, operations and applications, spearheaded the SIM project. All board members participated in the SIM tool selection.

“Most of the SIM tools at that time were too complex and lacked the integration, incident response and reporting features we needed,”says Hafeez, who settled on nFX (which starts at $40,000 to cover 10 servers) because of its real-time notification and seamless integration with MHSA’s existing security technologies.

The SIM project paid for itself not only by streamlining event discovery and mitigation but also because it aggregates raw event information for more efficient storage – easily helping MHSA meet the three-year retention mandate, Hafeez says. With real-time correlation on actionable events, the SIM project also has been successful at involving the business units in making informed decisions as events unfold.

For example, after evaluating the SIM data taken from the Welchia virus, MSHA realized it needed to audit and review firewall rules periodically and to better protect the 1,200 remote laptops used by field inspectors and trainers logging in from insecure access points around the world. So Hafeez’s team streamlined and automated patch management using Shavlik Technologies’ HFNetChk Pro and Microsoft Systems Management Server, implemented a remote access policy using Juniper Networks’ SSL VPN gear and is working toward deploying Sygate On-Demand software for laptop security policy enforcement.

“Just being in paper compliance doesn’t do much for actual security,” Mattos says. “With Syed’s guidance, we understood we needed automated assistance to augment and correlate the stand-alone security systems we already had in place. We needed a SIM solution.”

Radcliff is a freelance writer in Northern California. She can be reached at deb@radcliff.com.

| Next industry: Healthcare >

More Government profiles