A data marriage
"We needed to take firewall and IDS format log data and collect [it] in a way so that it was in the same format," Geimer said. NetForensics was one of the few SIM vendors in 2003 that could collect, normalize, aggregate and correlate data from USAIDs Checkpoint Systems firewalls; Cisco Systems network IDS and Internet Security Systems host IDS; and work with McAfee ePolicy Orchestrator, the agencys policy enforcement platform, Geimer said.NetForensics addressed USAIDs latency problems by making sure that collection engines deployed in the field had enough memory to cache log information until a link became available, said Hulver. USAIDs remote offices also made it difficult to troubleshoot problems, said Geimer of OSS, which has a team of 12 people working for USAID in Washington. "This isnt Paris or London. Think Bolivia and Sri Lanka," Geimer said. "When USAID travels, its to places where most other people arent. For us on the security side, that means managing things you cant touch easily." In two years, the NetForensics technology has improved USAIDs ability to monitor security events and make sense of the data produced from its network of IDS sensors and firewalls, Heneghan said. Still, the agency has had its share of issues with the NetForensics technology and is continuing to work with NetForensics on ways to improve its SIM technology. For example, USAID regularly reports to U.S. CERT (Computer Emergency Readiness Team) in the Department of Homeland Security. The agency often is asked by other federal agencies to respond to specific requests, such as providing detailed reports on an IP address. But out-of-the-ordinary searches can be incredibly slow on NetForensics system, Heneghan said. "If you get a call from OMB [the Office of Management and Budget] ... and youve got to run a report for the last 35 days worth of data, if you dont have an index, its going to take a while," said Geimer. Since implementing NetForensics and revamping its security operations, USAID has gone to the front of the class, judging from the results of security audits in recent years. The agency scored an A+ on the Federal Computer Security Report Card in 2004. A report from the USAID inspector general released last week also gave USAID high marks on FISMA compliance for 2005. Still, theres no going back to life without security information management technology, Heneghan said. "Infosec [information security] is in the Wild West stage," Heneghan said. "The more you know, the more scared you should be." SIM technology just gives USAID the "eyes" to be able to see and understand the threat, Heneghan said. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
A faulty update from McAfee flagged several widely used software programs as a virus outbreak. Click here to read more.