Ventura Customer Service Management Ltd. operates a wide range of networks on behalf of its customers, providing over-the-phone consulting, document management, IT services and sales and revenue generation. For that kind of operation, system uptime, of course, is a crucial measure of success.
That means the company has to deal with a lot of logs in a variety of different formats in order to monitor network activity.
Since implementing the security event log management product from LogRhythm Inc. earlier this year, Mark Wityszyn, IT security manager at call centre company Ventura Customer Service Management Ltd, has been able to organize his logs in a way that provides more valuable information about security incidents and the performance of his networks.
Based in Leeds, Ventura is a subsidiary of the Next Group, which includes the Next chain of fashion stores. It employs more than 8,000 people and offers its services to nearly 30 organisations, including O2 Media Inc., British Sky Broadcasting Group plc and the Department for Work and Pensions (DWP).
Wityszyn joined the company in 2008 with the task of building up the IT security function within Ventura. "Knowing what was going on in the network was absolutely key for me," he said. "But I didn't just want log management. I wanted correlation and alarm information rather than just archiving and reports."
At the time, each client team in Ventura had the task of monitoring its own systems' logs, and that could be onerous and repetitive work.
Wityszyn set about looking at the various log management systems on the market. "Some products were easy to deploy but were quite limited in the kinds of reports they could produce. Others promised to do everything for me but they were asking for silly money. Some other products could only collect logs from a limited range of devices."
It was a visit to the Infosecurity Europe conference in 2009 that led Wityszyn to LogRhythm. A half-hour demonstration on the stand convinced him he had found the right product. "I had a quick look at the system, and found I could do searches and, if necessary, drill down to the detail of the original Windows event log," he said. "That really got me. I could find what I wanted very easily. The other vendors I saw just didn't compete."
The system is now up and running, and can connect to all network devices. It takes all the different logs and normalises the information so it can be analysed in one format.
Each log message is tagged in LogRhythm with a distinct Common Events type -- for instance, "Authentication Failure," "Account Modified" or "Application Error." This means that regardless of which operating system or application has that type of event, LogRhythm tags them all in the same way.
The standardisation makes it easy to build an alarm, Wityszyn said. "I can just select "Authentication Failure" from host A, or subnet, or group of machines, or all machines or operating system types, within a specific time range and number of occurrences within that time, and for any other information in the log message such as username or IP address," he said.
"I can parse the logs using regular expressions, which gives me almost unlimited flexibility."
It means Wityszyn can now use LogRhythm to look for certain patterns of events across multiple devices, and to create an immediate alert if any of those patterns occur. This is done by creating specific use cases, or possible scenarios.
For example, if his intrusion prevention system rates an event above a certain score, an email alert goes out to the out-of-hours support staff detailing which subnets are involved in the alert.
For another case, he wrote a bespoke log parser in LogRhythm for a remote access system so that system administrators would receive an email alarm for specific application errors only when there were 10 alerts in 10 minutes.
"The ultimate aim is to understand what is going on in the network in real time. The system allows me to write the rules and set alarm conditions to give me that understanding," he said.
Wityszyn describes his approach as "protective monitoring" -- in other words, using the logs to provide an instant feedback on events. He admits that it will be a never-ending process. "We get in around 20 million logs a day, and we are still developing the system," he said. "We're quite comfortable with what we have so far, and now it's just a question of creating the new use cases and alarms."
One benefit of the product is that it allows Ventura to consolidate security reporting and operational error reporting. With the security event log management centralised, Wityszyn said he can now ensure all is running well. "I can get a very good sense of what's happening with one hour of mining the logs -- that covers the whole AD estate, the Unix servers and so on. And I'll also find new things to fix while I'm doing it," he said.
As for the client teams who previously had to manage the logs themselves, the picture has changed radically. They rely on the LogRhythm alarms for all out-of-hours support, and if they come across a new type of situation they would like to have monitored, they will just request a new alarm to be set.
One other major benefit of the system is that it has helped Ventura achieve PCI DSS compliance. The standard requires the keeping of logs, and as Wityszyn concedes, "PCI DSS allowed us to get the funding."
The current system, however, does not yet give the sophisticated level of correlations he would like. "Our currently deployed version is driven from single events. So I can say 'alert me on 200 failed logins for one machine in 10 minutes,' but I cannot say explicitly 'alert me on 200 logins followed by a successful login for the same user in 10 minutes."
That facility is available with LogRhythm Harmony Appliance. "I am writing a business case for that at the moment," he said.