Collecting millions of security incident alerts without the manpower to interpret them doesnt do much to improve security. Just ask health insurer Priority Health, whose security staffers had been drowning in alerts from the firms firewalls, intrusion detection system (IDS), and system logs, trying to separate real threats from the false alarms.
Priority Health, which has 500,000 customers, was getting frustrated with the time-consuming and tedious process -- as were its auditors. So the firm, which provides health care insurance to 100 acute-care hospitals and over 12,000 doctors and other health care providers in Michigan, had to better integrate its security tools and the data it was generating.
HIPAA-compliance pressure was on, too: Because of emerging HIPAA reporting regulations regarding log activity, we needed to monitor the activity on our systems and network more closely than we had in the past, says Tim Maletic, information security engineer at Priority Health.
Priority Health purchased ArcSights ESM, a security information management (SIM) product, about two years ago to provide more integration and better visibility across its security infrastructure. We had relied on a number of individual security silos: firewall logs, IDS events, and operating system events, so there was no easy way for a security administrator to get a complete view of what was happening, says Paul Melson, information security officer at Priority Health.
Its a good thing we didnt buy the other products -- none of those vendors are still around, Maletic quips.
And at the end of last year, the company added ArcSights Logger, a turnkey appliance that simplifies the capture and analysis of security log data. When the auditors show up each year, we can quickly generate reports that illustrate what was happening on our network and how we responded to suspicious activities, Maletic says.
Meanwhile, the ArcSight ESM SIM, which cost the firm about $50,000, made sense because it was able to work with various types of vulnerability data. The insurer also liked the design of ESMs central console interface and its ability to correlate different security events.
Priority Health first installed ESM in a small deployment that collected information from a handful of Internet-facing systems, such as its firewalls and operating system logs, all sitting in its DMZ. That configuration alone lowered the number of incoming security incidents from millions to hundreds, and also provided the security staff with more detailed information about each of the events.
We could now take a single event and put it into context with a few clicks of the mouse, Melson says. We no longer had technicians spending an hour or two trying to figure out whether an event was a threat or not.
Its also easier to determine whether multiple password attempts, for example, are the result of a user fat-fingering or forgetting his or her password, or an attacker probing the companys network.
Priority Health also integrates its Microsoft Active Directory security logs (basically anyone logging in, logging out, or changing data) to ESM, as well as system logs from the companys Unix servers and its Websense Web-filtering monitor. Most off-the-shelf security software is unable to keep pace with rapidly changing malware, said Melson, who estimates that 30 percent to 40 percent of malware goes undetected by currently-available tools.
Melson says although the health care insurer is content with ArcSight ESMs features, Priority Health would like to see the product more tightly integrate with its asset management system. We can load information from [the asset management system] into ESM now, but the process is not as quick and seamless as we would like it to be, he says.
Meanwhile, Priority Health considers its security information management implementation a competitive edge. Because ESM automates the evaluation of our daily security incidents, we now have more efficient security practices than our competitors, and that ability provides us with a competitive edge, Melson says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.