WNS Global Services, the leading BPO company based out of Mumbai which serves more than 250 customers worldwide, has to meet several regulatory and contractual requirements of its clients as well as information protection mandates. To deal with these issues, WNS recently implemented a comprehensive Security Incident and Event Management (SIEM) tool at its security operations center for the effective management of logs and security incidents.
The need to meet its clients' contractual and regulatory requirements was the prime reason for WNS' SIEM tool adoption. "The retention of logs for a specific period is crucial from the
historical evidence perspective. We are talking about the 40 terabytes/year of storage required to store security logs for critical systems and network infrastructure for a company of our size" says Arup Chatterjee, the chief information security officer of WNS. Earlier, the company used an Syslog based log management for firewalls and routers, while a SMB Windows log management tool was used for Microsoft Active Directory. However, the company soon realized that these tools could not handle a log volume of 4,000 to 7,000 events per second (EPS). WNS runs 21 different sites (security infrastructure) which consist of domain controllers, firewalls, antivirus, Active Directory and IPS, and which called for an intelligent and high-powered log management tool.
"The consolidation of events from all these different sources under one umbrella was necessary for real-time visualization of attacks taking place in our environment. We wanted visibility into both internal and external attacks," says Chatterjee. The mere collection and storage of logs wasn't enough for WNS; it also wanted to get actionable intelligence from real-time analysis of these logs. This was possible only througha full-fledged SIEM tool.
WNS has 21,000 employees accessing multiple applications, all of which are integrated with Active Directory setups for authentication. Real-time visibility and understanding of user activity were also key reasons for adoption of the SIEM solution, explains Chatterjee.
Search for the right SIEM tool
Chatterjee took more than a year to research and identify the right product since massive investments were required to set up an SIEM platform. Centralized log collection from remote locations with minimal use of bandwidth, the capacity and scale to deal with high volumes of data (ranging between 4000-7000 EPS), and the intelligence for generating humanly-interpretable log information were some of the top criteria for the SIEM tool's selection. Although the market offered several SIEM tools, Chatterjee shortlisted only three solutions (RSA Envision, NetForensics and ArcSight) after his research. WNS finally decided to go in for ArcSight's SIEM tool due to its ability to handle large log volumes and also because it offered intelligence beyond other product suites.
WNS has gone in for a hardware-based SIEM solution from ArcSight. The company has adopted a combination of two solutions (servers), ArcSight Logger and ArcSight Enterprise Security Manager (ESM).
ArcSight Logger can hold up to 40 TB of logs with a 6.4 TB storage box and a 10:1 log compression capacity. Logger mainly stores and provides real-time logs in Common Event Format (CEF). This server box receives data from remote log collectors. These collectors mainly perform log normalization and compression, and thus save a significant amount of production bandwidth. The Logger covers almost 80% of WNS infrastructure, which includes firewalls, IPS, antivirus (AV) and Active Directory setup. WNS currently generates logs at the rate of 25 GB per day.
After the event enters Logger, it is forwarded to ArcSight ESM, which mainly provides intelligence through event correlation and analysis. ESM can sift through millions of log records to find critical incidents. These incidents are then presented by the SIEM tool using real-time dashboards, notifications or reports to the security administrator. The real-time dashboard allows administrators to surf through various categories including AV, IPS, firewalls and proxies. The SIEM solution provides a real-time view of current connections, websites being accessed, worm activity (from AV and IPS correlation), systems getting attacked by viruses, Windows events (account creation, account deletion, etc), users having the maximum log-in failures, top attacks by GEO locations, and potential reconnaissance activities.
Chatterjee added that this solution even allows us to visualize each attack with a corresponding flag of the country of origin or look up the originating location with a simple integration with Google Earth.
The implementation took about 3 months. According to Chatterjee product selection was the foremost challenge of SIEM implementation followed by the learning curve and setting the system with minimal impact on network and resource utilization during the log collection process.
The new SIEM tool has helped WNS to keep a strict watch for external threats such as bots and worms, and internal risks (such as fraud and theft). Chatterjee also gives an example of how the SIEM implementation helps WNS to maintain high productivity. "In a BPO environment, people do not get too many breaks. As a result, people intentionally lock their accounts at times to buy downtime. SIEM tool has the capability to give notification of top users whose accounts get locked up frequently, which helps you to identify patterns of individual behavior and define process level controls to minimize such occurrences."
WNS now intends to integrate its physical access control system with its SIEM tool to give the company a combined view of the physical and logical control systems and user access to the premises and IT components and all events related to a particular individual can be polled almost real time.