SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
CASE STUDY: Achieving full network visibility with SIEM
Thu, 16th Nov 2017
FYI, this story is more than a year old

As a business rapidly expands or IT imperatives become increasingly more pronounced, it can be easy for cybersecurity teams to feel overwhelmed when it comes to network monitoring.

With contemporary IT networks becoming increasingly more complex, sourcing the right information and proactively using data becomes key, however, it can often be hard to find the resources to be able to accomplish this in an effective way.

This was the issue that global premium appliance manufacturer Sub-Zero was having, and it was proving to be a real issue for its IT security staff.

Sub-Zero is a rapidly growing business, with over 30 locations, including multiple manufacturing facilities and numerous showrooms featuring high-end appliances and unique customer experiences.

However as the company grew, their IT security teams struggled to keep up with the network monitoring that was required to keep the company secure.

Tyler Novogoratz, Sub-Zero IT supervisor for security and disaster recovery says, “Our leadership and human resources teams were inquiring about user activity on our network. I didn't have a good way to pull that information for them.

“We needed a solution that would provide a single point of consolidation for our many sources of logs so that we could easily search and correlate the data. We also wanted to combine all of our monitoring tools into one platform that could alert us when we have security issues.

Implementation of a solution

Novogoratz and his colleague T.J. Hathaway, Sub-Zero systems engineer level III, knew they needed a SIEM solution, but wanted an approach that best suited them in terms of ease of use and deployment.

They started by looking at the top 10 organisations in the Gartner Magic Quadrant for SIEM, and eventually narrowed it down to one, choosing LogRhythm as their preferred SIEM solution.

On their decision, Hathaway states “LogRhythm was the obvious choice for us. It's easy to set up, the web dashboard is very intuitive and easy to navigate, and the out-of-the-box reporting is very important for us.

“For me in particular, the drill-down capability is a big selling point. I can investigate incidents quickly, whereas before it could take hours or days to get the information I needed.

Benefits

After only a week of implementation, including configuring the logs, and activating the initial layout, they immediately started to see major benefits and improvements that the solution provided.

Hathaway adds, “On the second day of implementation we learned that one of our switches had a bad power supply and we found a bad fibre link in one of our wiring closets. LogRhythm also alerted us to some network routing issues and we were able to take a closer look.

After approximately eight months, the solution has met all the original objectives of the project.

Novogoratz explains that the LogRhythm solution enables his team to view all logs from a single place, and allows them to proactively monitor the network as issues arise, instead of having to check several disparate systems.

”When we see an issue on a network appliance and another issue on a server, LogRhythm helps us correlate the events so we can better understand the problem and how to investigate it,” he says.

Hathaway also says the reports have simplified his job in a number of ways.

One example is that he frequently uses a report to know when an administrator has changed their password, and he can verify this action with the administrator to be sure the change was legitimate.

This also saves hours of investigation time when an account is locked out and Hathaway needs to know where the administrator was logged in during the password change.

Looking forward

Both Novogoratz and Hathaway are pleased with the results that the LogRhythm SIEM solution has yielded.

Prior to installing LogRhythm, the workflow for investigating security threats was manual and not well defined.

Novogoratz says, “Now we rely on alerts and reports from LogRhythm to start the process and narrow our search.

Looking toward the future, Sub-Zero plans to bring more device logs into the system and to configure and finetune alerts.