Chicago Exchange Buys Into SIM

Despite the enormous engine of the Chicago Stock Exchange (on June 6 alone its share volume was more than 54 million shares), its IT department comprises just two members: information security analyst Mike Ryan, and his boss, Chris Brown, vice president of IT operations. And because network security is of vital importance to CHX, they are very busy men. The pair tackles as much work as a team of ten or more professionals.

CHX is an auction market for the sale and purchase of equity securities. It has roughly 200 member organizations that hold 450 seats and is a self-regulatory organization under the oversight of the U.S. Securities and Exchange Commission (SEC). Ryan and Brown service 200 employees, 500 workstations, and 150 servers. Running so lean, Ryan says he frequently feels as though he needs to be in multiple locations at once. "We had all this data out there, and we wanted to take a proactive approach to things," he says. "We don't have staff to look over everything."

So, 18 months ago, CHX implemented TriGeo Security Information Manager (SIM) 3.0, a self-contained appliance that runs on a hardened version of Linux. CHX found TriGeo at a tradeshow in late 2004; the product was appealing because it specifically targets midsize business and is priced to appeal to that market segment. (CHX would not divulge what it spent.) The exchange evaluated the product for a short period before implementing it in January 2005.

A key feature was TriGeo's ability to create efficiencies for CHX. "TriGeo saves me at least 15 hours a week," according to Ryan. "Now I can be proactive, not reactive. It does the job of at least one other person."

The product functions as a superhuman pair of eyes within the network, identifying security threats using policies Ryan and Brown created and tuned to the CHX environment. Because it handles sensitive financial transactions, CHX has stringent security requirements. The SIM product allows CHX to respond within moments of a security infraction occurring.

One of the exchange's biggest concerns is that employees will mistakenly, or intentionally, cause a security breach. CHX has a standard complement of security wares: an intrusion detection system (IDS), firewall, antivirus software, each with its own console. CHX keeps many logs, which means there are a lot of areas to keep tabs on.

"Back before we had TriGeo," Ryan says, "I had six or seven consoles open at one time, each with its own way of alerting you when there was a problem. And not all of them had very sophisticated ways of showing you that information. I couldn't write rules on these consoles to look for things that I wanted to look for."

For example, he found the antivirus software console too cluttered and difficult to retrieve priority information. TriGeo's solution, which comes bundled with an installed and fully configured version of Snort, integrates CHX's network security products and operating systems, collects their data in real-time, and generates a report based on the Crystal Reports engine. It aggregates, correlates, and filters the data from all these different log files and other data sources into a central console. Then, it "normalizes" that data.

For example, Ryan notes that CHX might have firewalls from three different vendors, each with their own different look and feel. But once that information gets to TriGeo, all the fields are presented in a standard way, so they can be read and understood efficiently.

"The same with user logons. It normalizes user logons for Unix, Linux, and Windows systems, so if I write a rule, I don't have to account for the fact that, 'Oh, it's coming from a Unix system'," Ryan says. "If I want to look for three failed logins on any given box, I only have to write one rule that will look for that."

The system is processing data in real-time, so as soon as something like that failed logon example happens, Ryan can be alerted via the TriGeo console, his email, text messages, or his pager (the latter an option he does not currently use). According to Ryan, the system is also relentless at tracking him down to notify him of security alerts. Features such as event thresholds are configured to ensure he or Brown knows when activity reaches a significant level but does not bury them in continuous alerts. "It's a good tool to help us keep tabs on our system," Brown notes.

CHX has not done a cost analysis on the implementation, but Ryan has observed a tangible increase in productivity. "I don't have to spread myself so thin," he says. "I get to spend more time doing more things instead of babysitting little windows popping up on my computer screen." Since TriGeo logs everything centrally, if he or Brown want to go back and look for something that happened, if they notice one particular user doing something a little irregular, they can go back on and look at what processes were launched and track suspicious activity.

"I don't have to go to every computer I think he might have logged onto and look at thousands of log entries to find out what's going on," he says. "I can investigate specific users. There's no guesswork. I know exactly what I am looking for." The product is boosting productivity, he adds, while enhancing the security of the entire network.

—Jennifer Bosavage, Special to Dark Reading

Companies mentioned in this article: