NIST SP 800-137

From: Asia Pacific FutureGov

By guest writer Dr Andy Chun, CIO, City University of Hong Kong

The ‘Security Information and Event Management (SIEM) Implementation’ project at the City University of Hong Kong (CityU) is a major enterprise IT security enhancement project. Costing roughly USD half a million, the project aimed at tackling crucial information security challenges that are commonly faced by universities around the world.

CityU’s SIEM implementation has already paid back for itself through averted information loss and any associated legal liabilities, not to mention reputation. SIEM gives the university great agility to instantly react to IT security breaches, including zero-day attacks, and to quickly contain them before any damage can be done. Providing such a secured environment is particularly challenging for a university, as our teaching and learning environments are relatively open.

Being a young university, CityU has grown quite rapidly over the past few years. Established just 30 years ago, its IT infrastructure now serves close to 40,000 student and staff. In just the past academic year, student intake increased by over 30 per cent; number of professors also increased by roughly the same percentage. Overall campus space increased by 60 per cent, with several new buildings and student hostels. The use of mobile devices for mobile-learning, such as smart phones and tablets, also increased significantly. Last year, close to 100,000 different mobile devices connected to the university WLAN. The university’s IT infrastructure had to expand rapidly to support the university’s growth. This growth led to an increased workload in ensuring IT security. In fact, over the past year, on average the university faced over a million hacking attempts each week!

The IT security challenges faced by the university are enormous. With a rapid growing IT infrastructure and coupled with increasing hacking of universities in general, CityU felt it was necessary to create a SIEM system to systematically protect valuable electronic assets.

The challenges faced by CityU are probably similar to those faced by other universities with strong growth around the world:

• large number of security devices and tools to enforce security policies and protect users, but each has its own logging format and monitoring tools
• ability to identify anomalous behavior, such as malware infections, hacking attacks or security breaches, is hard if not impossible because of the millions of log entries from multiple sources being returned, all of which would have to be analysed to try to pinpoint attacks because there was no linkage or correlation between them.
• difficult to extract trend information from events and impossible to relate the events from the various infrastructure components into an application or business service oriented view
• changes in infrastructure meant laborious work to reconfigure old event collection connectors

 

In 2010, the university’s Central IT team initiated the SIEM Implementation project to pave way for the next-generation of security capability at the university.  The main objectives of the SIEM project are for:

• Threat Management – the SIEM provides early alerts to security incidents, the normalisation and correlation from various logs and event information enables quickly detection and identification of the problem causing area for prevention and resolution. This allows the university to respond immediately to any potential security threats to avoid loss.
• Security Status of Service Health – the SIEM combines security information management and security event management information of the IT infrastructure and present them via a consolidated dashboard for easy security health check and monitoring in our Security Operations Centre.
• Log Management – the SIEM collects and normalise events information and log messages from all devices in a centralised location for easy reference
• Security Compliance – the SIEM is one of the tools deployed to maintain the security standards of network and system in supporting ISO/IEC 27001:2005 certification

 

CityU’s SIEM was built on top of HP ArcSight. The entire project consists of 3 phases. Phase 1 was completed in mid-2011 and involves consolidating all the main log/event sources, including routers, MS AD servers, our firewalls and IPS, as well as VitalSuite NM Integration (230+ network devices). Phase 1 provided real-time alerts generation for critical and correlated events as well as top-N reports for critical network events, AD logon failure and interactive user logon tracking. This gave the university services monitoring and basic SLA dashboard capabilities.

Even after Phase 1, the SIEM started to provide immediate benefits. The most immediate and noticeable benefit was a marked reduction in manpower requirements, particularly around troubleshooting issues as they arise. In the past, this would involve mobilising many teams of people to work through the various systems individually, but this now automated centrally. With tight manpower at CityU, this adds a lot of value by freeing up skilled people to work on other initiatives.

Turnaround times when investigating anomalies have also improved dramatically. Previously it would take up to a month to be able to gather all the logs together and then organise staff to analyse them. With SIEM, this now takes hours to do as the system stores the logs and joins them together to allow automated correlation across multiple systems.

The platform also allows new rules to be easily introduced to catch future incidents in progress rather than detecting them afterwards and having to spend time and money remedying the problem.

Phase 2 expanded this capability with ArcSight Logger to allow for longer-term log retention. During this phase, additional central services forwarded log and events to the SIEM. A log replay feature was implemented to perform “date-back” incident analysis. Additional use cases and security controls were deployed. Phase 2 was completed in mid-2013.

Phase 3 will further upgrade the university’s IT security capabilities to an enterprise level through HP ArcSight Enterprise Security Manager. By then, the SIEM will be the standard event and performance monitoring framework for all Central IT services. This will include data center environment monitoring such as power, temperature and humidity as well as end-to-end IT service monitoring and linking to the Configuration Management Database. It will also act as the Central IT service SLA Dashboard as well as the standard compliance and regulatory monitoring platform. Moving forward, CityU plans to integrate the SIEM with its IT Service Management system to leverage benefits of both systems and to support ISO/IEC 20000 compliance. We target Phase 3 to be completed by mid-2014.

CityU’s SEIM solution is a unique and innovative approach. The result is an SLA dashboard that makes use of Artificial Intelligence techniques for intelligent threat correlation. This is used to create a “causal network” that defines relationships and hierarchies among various devices. The system is able to sort through and make sense of multiple logs and log entries to intelligently pin-point attackers or source of problem; thus reducing human processing time during emergency situations.

The ability of our SIEM to gather log and event information across multiple sources and to handle the most complex information has enabled CityU to gain invaluable insight into the activities across the entire IT infrastructure while cutting the manpower required to do so. This has allowed IT service quality to improve even with a sharp increase in demand for access to services.

In early 2013, CityU received the ISO/IEC 27001:2005 certification from BSI for one of its important mission critical systems – its Enterprise Content Management (ECM) system. The improvements in security and service quality provided by the SIEM will go a long way in helping the university in continuing to maintain our IT security quality and ISO/IEC 27001 certification.

In recent months, several Hong Kong universities were hacked, some with large volume of personal/research data loss. Although CityU also faced similar attacks, including zero day attacks during this period, our SIEM implementation enabled us to be immediately be aware of security breaches and be able to instantly pinpoint affected systems and contain them before any data loss. The SIEM implement has already proven its value during the past few months of intense cyber attacks faced by all universities in Hong Kong. We strongly believe that if it had not been for our SIEM implementation, firstly we might not be aware of some of these attacks, and if we were, it might of have taken days to figure out which chain of systems were affected, which would be too late to prevent data loss. CityU is fortunate to have the foresight to start a SIEM project back in 2010. Currently, CityU is the only university in Hong Kong to have implemented a SIEM system and are actively sharing with other Universities in this region in hope that others can also gain from its experience.