For the law firm of Sonnenschein, Nath & Rosenthal, there was no catastrophic incident—no defaced Web site or data theft—that pushed IT administrators to a security crossroads.
For Adam Hansen, manager of IT security at the Chicago firm, the need for change came in a swelling, relentless wave of alerts and security events his staff could no longer prioritize or manage.
After mulling the typical choices of adding staff or farming out the work, Hansen opted for a more radical process overhaul that has since saved money and improved performance.
Hansen prioritized his security needs and decided that his top goal was to better correlate events from multiple sources with management technology that was included with the firms Nokia Corp. firewalls.
“What we did is not for everyone, but its an alternative to more staff or outsourcing that you should at least consider,” said Hansen.
Hansen looked at IBMs Tivoli and Hewlett-Packard Co.s OpenView security management software but settled on Security Threat Manager from OpenService Inc. “It was the easiest to open and use, and it does a great job of identifying real security threats and alerting us in real time so we can respond quickly,” said Hansen. “Instead of dealing with [duplicate events] buried in our logs because we have more than 100 devices, now we have one-stop monitoring and management for all our threats.”
The choice has been the answer to a long-simmering problem at the law firm.
When Hansen joined Sonnenschein in 1998, the law firm had seven offices around the country. “Everybody had a desktop, and everything came through one office,” he said. “Our job then was easier—making sure all desktops were compliant and our Internet policies were adhered to.”
As the firm grew to nine U.S. offices and a staff that met with clients across the globe, communications became primarily e-mail-based. Staff members flocked to the Internet to conduct legal research, Hansen said. In the meantime, Sonnenscheins Web site was receiving more hits from clients, prospective clients and other parties. As Sonnenscheins Internet traffic increased exponentially, so did the number of potential firewall breaches, viruses, spam messages and other headaches.
Hansen had less time to address the security issue because his responsibilities were expanding as his employer grew. “We handle security violation investigations, crisis management, you name it,” he said.
By last year, Hansen and his team were confronting as many as 9 million security events each day. “We kept running into issues—anti-virus infrastructure, assessment infrastructure, you name it. It came down to patch management most of the time,” he said.
Compounding the problem, Hansens budget was growing, and his superiors viewed the costs related to his department with an increasingly critical eye. He was forced to think more like a business manager than an IT administrator. “You manage the top line and the bottom line just like any other department,” Hansen said. “Everything else is ancillary. You want to add value to the company and cut costs.”
Thus, the expense of hiring more staff was out of the question. Outsourcing seemed more attractive, so Hansen surveyed his peers and dutifully interviewed IT security vendors, looking for the perfect combination of price and service. None left Hansen satisfied. “It turns out they didnt have the tuning for a shop our size,” Hansen said. “We were either too big or too small.”
Next Page: Problems with pricing structures.
Pricing Structures
Pricing structures also left something to be desired. “When you negotiate an IDS [intrusion detection system] contract for outsourcing, you get people talking about event counts, and they put it together into a magic formula,” said Hansen. He also said that the resulting number rarely matched the real value of the service.
But it was during those outsourcing interviews that something clicked. Hansen noted that the vendors all relied heavily on technology, too. Their IT security success had less to do with savvy and alert technicians than it did with the technology used. Hansen began thinking about using the same technology with his team.
In fact, many of the vendors he interviewed used OpenServices network IT management tools.
“When we did an analysis, from a cost perspective and [in terms of] value to the organization, we found that the option of purchasing the technology cost us less in the long run than hiring a third party,” said Hansen. “They were using a lot of the same products and then adding their own special software on top. If we purchased the same technology, we could depreciate the cost over time.”
Sonnenschein has used Security Threat Manager since Version 1.1, and the two companies are collaborating on installing Version 3.1 at the law firm.
Security Threat Manager correlates Sonnenscheins 9 million daily security events and accurately identifies 20 or 30 events of interest, according to Hansen. From there, Sonnenscheins administrators need to investigate only about one to three events a day. “We reduced our incident response time from 24 hours to minutes,” said Hansen. “We deal with an event as soon as it happens rather than look at a log.”
Best of all, Hansen was able to reduce the time that a security consultant was needed to assist his team, and he eliminated redundancies. That, in turn, cut costs by $213,000, which pleased Hansens bosses very much. Hansen admitted he will need to hire additional staff in the future—Sonnenschein is still growing, after all—but the success with OpenService helped him delay the hiring process for nine months.
Integrating Security Threat Manager 1.1 with Sonnenscheins multiple systems and expanding number of offices was no easy task. “When we first got OpenService, they were only built to handle a few systems,” Hansen said. “We looked at our infrastructure, and we had to prioritize our implementation.”
Anti-virus security and patch management topped Sonnenscheins list of systems that required integration with Security Threat Manager. To Hansens delight, OpenService sent a technician to handle the integration. “We were changing our patch management, and they produced integration before we even got to it,” said Hansen. “Their customer service is some of the best Ive ever worked with.”
Although the transition is complete, Hansen still talks to an OpenService sales engineer once a week to convey any concerns or discuss future challenges. “The only issue we really struggled with came when we performed an upgrade: There was a memory glitch,” said Hansen. “Our Nokia [firewalls] locked up.”
Hansen doesnt blame the struggle with the Nokia equipment on OpenService, however. “It appeared to be an environment-specific/the-way-we-handled-the-deployment issue,” he said. “You do the best you can to handle this, but as often as you plan, unforeseen problems come up.”
In the end, Hansen emphasizes that forgoing a third-party IT security vendor and using technology on the market is not for every organization or IT staff. “I know someone who uses [Security Threat Manager] as a replacement for Fusion, and OpenService is not Fusion,” he said. “If all you care about is the correlation of data between one vendors products, its not a good fit. Our system is designed to link data from … different products.”
IT security executives must know what theyre trying to accomplish from a business standpoint as well, said Hansen. “We wanted to reduce our monitoring costs,” he said. “If you have several technologies, it might not be the right package for you. This is a longer-term investment.”
The risks to Sonnenscheins IT security and bottom line were great: incompatibilities, missed threats, unexpected costs. With sound planning by Hansen and his staff, and strong customer service and technology from OpenService, Sonnenschein met its goals: higher-quality threat detection at a lower price.
Ira Apfel is a freelance writer in Bethesda, Md. He can be reached at iapfel@yahoo.com.