Back in 2004, Genpact was still a captive BPO for GE. Genpact’s VP & Global Information Security Leader Raja Vijay Kumar Adapa remembers how his company’s security framework had matured to a point where cogent analysis was required. With many GE subsidiaries outsourcing business to Genpact on a large scale, security was also becoming a top priority.
Genpact had acquired a network intrusion detection system (NIDS) around that time, and Kumar was still grappling with the problem of aggregating and analyzing logs/alerts from the NIDS. To augment the existing security arsenal, Kumar and his team decided to invest in a security information and event management (SIEM) solution, and there has been no looking back since then.
NIDS devices were new to the market at the time, and Satish Jagu, Genpact’s senior manager for corporate information security, explains that the challenge was dealing with the volume of alerts that these devices generated. The NIDS would inundate the console with alerts, says Jagu, making manual real-time monitoring and identification of issues almost impossible.
More SIEM tips from Genpact
Though implemented, the NIDS was not bringing much benefit, given the manual process, says Kumar. The system was being used reactively, after occurrence of an incident. There was thus a need for an automated system that could perform real-time monitoring and correlation, all on a single console. The requirement was for an agent-less SIEM system, which would avoid conflicts with existing applications/services and avoid production downtime, configuration changes and review cycles.
Genpact chose netForensics’ SIEM tool, citing device support and local presence as important selection criteria. Jagu remembers that there was direct interaction with the developers right from the outset, giving Genpact an edge on developing integration for legacy applications and devices from the GE days.
Kumar explains that the SIEM tool today has several modules, covering server logs, network equipment logs and NIDS logs. As Genpact had Unix and Windows servers, server log support was considered important. The SIEM tool from netForensics supported NIDS and network logs and the vendor agreed to develop the required server modules based on Genpact’s requirements.
Genpact had a plethora of legacy devices and applications, support for which was needed to be built from the ground up in many cases. The SIEM tool was expected to be deployed on a centralized setup, which required checking the bandwidth availability and other dependencies across the network.
The scope of implementation was limited to begin with, in order to keep initial investment at a minimum, says Kumar. The SIEM tool was initially used with a few critical devices such as servers, essential network equipment and NIDS. After streamlining, the scope was expanded across the network, as the security team gained confidence and experience.
Network components were brought on board one by one, integrated, monitored and profiled. Jagu explains that this process is still followed whenever a new device enters the network. The SIEM consists of a server that acts as an agent for all devices with only minor configuration changes required in the devices to point the logs to the SIEM tool.
The vendor’s technical team under netForensics’ technical director carried out the initial setup, after which Genpact’s security team took over for the integration and expansion phase. The entire implementation took close to two years back then, says Jagu, since the vendor team had to take problems back to the developers to put enhancements in place.
Over time the product has standardized and is now managed completely by Genpact, with standard support from netForensics. The SIEM tool is now an organization-wide standard and is being rolled-out in Genpact’s global locations as well. The SIEM is managed by six people out of Genpact’s SOC in Hyderabad, India, which was developed parallel to the SIEM project.
While most support is on-call or remote, major upgrades require assistance, says Jagu. He cites the example of setting up a DR site for the SIEM at Gurgaon, which required the vendor’s expertise.
More on Security management
- Cloud adoption prompts secure data management, access control issues
- Identity and access management (IAM) in the cloud: Challenges galore
- Tips to overcome information rights management implementation challenges
- Combat social engineering attacks with these mantras
- Security awareness training made easy
Building maturity and notable milestones
According to Kumar, the primary challenges involved suppressing false-positives and training of personnel. In the initial adoption stages a high level of expertise was required, until the system got streamlined and configured appropriately. For this, on-site training was requested from the vendor. Such training is now conducted every two years and also for every major product upgrade.
The implementation underwent a major upgrade recently with the move to Oracle 11i when support for versions 9 and 10 ceased. New technologies like VoIP also had to be factored into the scheme of things.
Kumar says that with SIEM, Genpact has gained visibility into its security posture and corrective action is usually taken before business can be impacted. The intelligence from the SIEM is used to enhance and strengthen the security framework and a proactive mechanism exists to reliably forecast and monitor violations to Genpact’s norms and security policies.
After SIEM, the business has not suffered any downtime caused by network-based attacks. Jagu feels that from compliance and customer assurance standpoints, the tool has paid for itself several times over, and is now even showcased to customers as a strategic security tool.
This was first published in November 2012