Powering Up Log Auditing

By Michael A. Gips

With great power comes great responsibility. For NiSource, a Merrillsville, Indiana-based holding company that, through 16 subsidiaries, provides gas and electricity to much of the United States east of the Mississippi, one major component of that responsibility is ensuring that information systems remain secure from hackers and insider threats. To address that concern, the company went in search of a better way to oversee system security.

While tools such as firewalls and intrusion detection systems were in place, a system for monitoring the network to ensure compliance with established IT security policies was not, says Senior Infrastructure Security Analyst Pete White. "We had all sorts of NT domains and controllers, and no one was looking at the logs" unless a specific problem arose, says White. Finding the source of a problem required digging through stacks of log entries.

The search began in mid 2002, when NiSource began looking for IT security event managers, software that could help build and apply security policies for the purpose of stopping intrusions or malicious insider activity and improving efficiency. With new federal regulations being rolled out and various sets of IT security guidelines present in the energy sector, such software could help NiSource comply with regulatory requirements and best practices. It would also help managers keep a handle on Nisource's 8,000 employees and thousands of pieces of hardware, including 7,500 PCs and 1,000 servers.

White looked at four or five such software products in search of a tool that would gather logs from operating systems and other applications that the company was using and compare them to a set of rules. Having experience with real-time alerts, White realized that such alerts could be overwhelming if not limited to true emergencies; thus, he was more interested in auditing features than in real-time event management.

NiSource tested these products in evaluations ranging from three to 30 days. Each required a time commitment "to get them tuned properly," White says. Most of the products specialized in real-time events, which yielded loads of false positives. For example, on some domain controllers--which manage user access to specific network resources--if an administrator logged on in the middle of the night, White received an alert. "You want to see that, but not alert on it," he says. When he tried to eliminate these real-time alerts, the software passed over activity that he did want to see.

In addition, NiSource's IT staff was already getting real-time alerts from its firewalls and intrusion detection systems. "Going through everything and putting all alerts on one platform would be a headache," states White.

The one tool that didn't overwhelm White with alerts was the InSight Security Manager from Consul Risk Management Inc., which is dually headquartered in Delft, the Netherlands, and Reston, Virginia. The program acts more as an audit tool in picking out activity that violates security policy. It helps create a security policy for every platform based on templates containing regulations and best practices.

NiSource started with InSight's minimal basic rule set and then customized it for the company's environment. That meant watching the software closely to see which types of activities it would flag or let pass. Any acceptable activity that happened to be flagged by InSight would be made an exception to the rule that prohibited it. If enough exceptions riddled the rule, those exceptions would form the basis for a new rule, White explains.

For example, he says, the company has a large Microsoft Systems Management Server (SMS) that removes from staff a lot of the administrative burden of supervising almost 9,000 Windows devices. The SMS installation accounts for 25 percent of all logged activity. Many of the activities performed on that system were perfectly acceptable but were being flagged by InSight nonetheless. These exceptions formed the basis for changing that rule. Once the software was tweaked to NiSource's satisfaction, White found that it effectively identified policy violations without alerting him about every small anomaly.

NiSource originally purchased the software and a limited number of licenses (licenses are granted for devices, not users) to keep track of devices and to monitor some of its Windows domain controllers. After seeing what the product could do, the company quadrupled the number of licenses, for a total cost of about $130,000, White says.

Consul sent an engineer to NiSource to install the product and to train the IT staff on the software and its use. Several months after the system went online, an unrelated hardware failure caused it to crash. But with some help from Consul staff, White was able to get the software back up quickly.

The support for the reinstall, as in general for the product, was excellent, White says. For instance, after White activated real-time alerting to give that function a test run, he failed to terminate the function cleanly, causing databases to lock up. Consul had White send in system data so that the company could investigate the problem. "They went through it in half a day and helped me delete the offending records," according to White. "In a couple of weeks they had a patch for what I had done. The patch completely fixed the problem."

White has now set up policies for machines, people, and events. For example, domain administrators have their own set of policies. If an administrator account shows an attempt to get in with an incorrect password in the middle of the night (which might indicate an outsider seeking administrator privileges), that activity will be highlighted in the logs. As far as policies for certain machines, one example is that anyone servicing the system can only log in from three specific PCs. "If they log in anywhere else, I want to know about that," White explains.

InSight has helped to identify anomalies quickly, the vast majority of them innocuous. In one case, the software identified a device in one domain that was touching every domain controller in the enterprise at four in the morning. The problem turned out to be that someone in that domain was using a print server that, in the absence of being programmed where to look, was searching on its own through all the controllers for printers. "What we thought was nefarious, wasn't," White says.

When InSight does discover a bona fide issue, it tends to be minor. One common example is an administrator creating a test ID to perform a certain operation or task, then forgetting about it. InSight finds this ID and identifies it as not complying with standards. Since InSight is a passive tool, it's up to the system administrator, to White, or his staff to identify "the wayward administrator," determine when he or she created it, and have that person deactivate it.

The result of the thorough oversight is peace of mind. "We didn't think that there was anything earth-shattering in our environment, and Consul pretty much confirmed that," says White.

Still, White is seeking some improvements in the new version of the software, which was scheduled to have been released by press time. NiSource's current version, 4.5, is text-based with bar graphs, White says. Thus, reports lack the ability to graphically show to management at a glance what trends the software has been detecting. Version 5.0 is supposed to be much more management-friendly and graphics-oriented, he says.

Consul is also offering modules designed to help users comply with ISO 17799 (which recommends that organizations create a data-logging infrastructure), the Gramm Leach Bliley Act (which mandates the protection of customer information), and Sarbanes-Oxley (which requires companies to certify the effectiveness of internal controls used in financial reporting).

White is pleased with the system, but he says users shouldn't expect it to work perfectly out of the box, or even be able to test it effectively in only 30 days. "If you're looking for something that will be 100 percent operational in the door, you can't do that with this," White says. "You really have to customize it to your environment. But once it's customized, it's great."

(For more information: Ron Bonhagen, inside sales manager, Consul Risk Management, Inc.; phone: 703/547-4111; e-mail:

--By Michael A. Gips, a senior editor at Security Management magazine



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.