When it comes to ensuring network security, the bar's set high for Energy Federal Credit Union. The Rockville, Md., institution is the credit union for the Nuclear Regulatory Commission and the Department of Energy, and therefore a likely target of organized hackers.
The $104 million-asset, 15,494-member Energy Federal did itself a favor, however, by hiring Ted Carmack as its information systems manager. Carmack was a chief network technician at NASA, where he had a 22-year career. Before that he spent eight years in the Navy working as an electronics technician and a power plant operator on a nuclear submarine. Both are jobs where standards for security and stability can be "life-critical," meaning the systems involved must be managed to always perform safely, because death could result from any failures. But since a small credit union has nowhere near the spending capacity of an institution like the Navy, Carmack was less armed to deal with certain realities at Energy Federal when he was hired in October 2005. "We're a credit union," he says. "We don't have much money. So the primary goal was to do everything I could to give us the best possible security on our network that I could achieve." Ronald P. Roy, Energy Federal's chief executive, handed Carmack a three-inch binder of security issues and said, " 'Here, fix these,' " Carmack says. Within a year, the binder was reduced to about a half-inch and an outside company that performed a follow-up security review said the CU had either met or exceeded all applicable standards in the industry.
But late in 2007, an examiner from the National Credit Union Administration advised Energy Federal to install a log aggregation management tool that could monitor everything occurring on the CU's servers, switches, routers and firewalls, and red-flag anomalous activity.
"The first thing I thought of was, 'that's going to be so much data it's going to be impossible to find anything in it,' " Carmack says. Energy Federal had been mainly monitoring its Cisco Pix firewall using a log management tool called Sawmill from Flowerfire to spot problems along the first line of defense.
But by that time, security information and event management solutions had become available that sift the network deluge across all systems to spot oddities and report them to staff. Such systems are marketed as being able to alert information technology to network anomalies faster, and parse logs in a more user-friendly fashion, than traditional log management apps. What Carmack says was especially attractive to him about TriGeo's SIEM, a customizable solution now owned by SolarWinds, was the system's "USB-lockdown" feature, which disables mobile device connections to personal computers, workstations and servers. "Thumb drives, iPhones, MP3 players are all immediately blocked," Carmack says. "That plugs a huge gaping hole out on the network."
Since deploying the appliance on April 21, 2009, Carmack says his three-person team can now spot the nasty needles in the haystack much quicker, and thus work sooner to mitigate problems, instead of being lost among the megabytes of daily event logs. The SolarWinds solution pinpoints and flags any unusual activity via filters that administrators configure, while emails, texts and "flashing" tabs within the interface make users aware of attacks, glitches or vulnerabilities, so they can be swiftly addressed. The system in January alerted Carmack to what turned out to be a failed switch.
"You set up rules to monitor the things that you think are important to pay attention to," he says. "Then you let the software do the monitoring for you. It's like having three extra people on my staff without hiring anybody." Last summer, Carmack set the system to monitor failed log-ins - too many of which could be a sign of attempted password cracking - to prevent related intrusions. Competing solutions include Attachmate's NetIQ (Novell) Sentinel; Dell's SecureWorks; Hewlett-Packard's ArcSight; and Prism Microsystems' EventTracker. Energy Federal paid $33,000 for the TriGeo box, but received a gratis upgrade to a $60,000 version of the system, Carmack says, after making a customer referral. "I'm getting the equivalent of three network admins for about $30,000," he says. Plans are to virtualize the service in a coming upgrade. The SIEM appliance runs currently on a dedicated server. "It would mean one less machine running back there, because you don't have to buy any hardware," Carmack says. "You just need to buy their software licensing. That would reduce the heat-load on my server room; cut space and rack requirements; and slash the amount of power I have to provide my UPS [uninterrupted power supply] to keep things running if there's a power outage."
BANK: Energy Federal Credit Union, Rockville, Md.
PROBLEM: An examiner wanted Energy Federal to improve network monitoring.
SOLUTION: The CU deployed an appliance that reports peculiarities across all systems.