Story image

CASE STUDY: Achieving full network visibility with SIEM

16 Nov 2017

As a business rapidly expands or IT imperatives become increasingly more pronounced, it can be easy for cybersecurity teams to feel overwhelmed when it comes to network monitoring.

With contemporary IT networks becoming increasingly more complex, sourcing the right information and proactively using data becomes key, however, it can often be hard to find the resources to be able to accomplish this in an effective way.

This was the issue that global premium appliance manufacturer Sub-Zero was having, and it was proving to be a real issue for its IT security staff.

Sub-Zero is a rapidly growing business, with over 30 locations, including multiple manufacturing facilities and numerous showrooms featuring high-end appliances and unique customer experiences.

However as the company grew, their IT security teams struggled to keep up with the network monitoring that was required to keep the company secure.

Tyler Novogoratz, Sub-Zero IT supervisor for security and disaster recovery says, “Our leadership and human resources teams were inquiring about user activity on our network. I didn’t have a good way to pull that information for them.

“We needed a solution that would provide a single point of consolidation for our many sources of logs so that we could easily search and correlate the data. We also wanted to combine all of our monitoring tools into one platform that could alert us when we have security issues.”

Implementation of a solution

Novogoratz and his colleague T.J. Hathaway, Sub-Zero systems engineer level III, knew they needed a SIEM solution, but wanted an approach that best suited them in terms of ease of use and deployment.

They started by looking at the top 10 organisations in the Gartner Magic Quadrant for SIEM, and eventually narrowed it down to one, choosing LogRhythm as their preferred SIEM solution.

On their decision, Hathaway states “LogRhythm was the obvious choice for us. It’s easy to set up, the web dashboard is very intuitive and easy to navigate, and the out-of-the-box reporting is very important for us.

“For me in particular, the drill-down capability is a big selling point. I can investigate incidents quickly, whereas before it could take hours or days to get the information I needed.”

Benefits

After only a week of implementation, including configuring the logs, and activating the initial layout, they immediately started to see major benefits and improvements that the solution provided.

Hathaway adds, “On the second day of implementation we learned that one of our switches had a bad power supply and we found a bad fibre link in one of our wiring closets. LogRhythm also alerted us to some network routing issues and we were able to take a closer look.”

After approximately eight months, the solution has met all the original objectives of the project.

Novogoratz explains that the LogRhythm solution enables his team to view all logs from a single place, and allows them to proactively monitor the network as issues arise, instead of having to check several disparate systems.

”When we see an issue on a network appliance and another issue on a server, LogRhythm helps us correlate the events so we can better understand the problem and how to investigate it,” he says.

Hathaway also says the reports have simplified his job in a number of ways.

One example is that he frequently uses a report to know when an administrator has changed their password, and he can verify this action with the administrator to be sure the change was legitimate.

This also saves hours of investigation time when an account is locked out and Hathaway needs to know where the administrator was logged in during the password change.

Looking forward

Both Novogoratz and Hathaway are pleased with the results that the LogRhythm SIEM solution has yielded.

Prior to installing LogRhythm, the workflow for investigating security threats was manual and not well defined.

Novogoratz says, “Now we rely on alerts and reports from LogRhythm to start the process and narrow our search.”

Looking toward the future, Sub-Zero plans to bring more device logs into the system and to configure and finetune alerts.

Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."
D-Link hooks up with Alexa and Assistant with new smart camera
The new camera is designed for outdoor use within a wireless smart home network.
Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."