WNS Global Services, the leading BPO company based out of Mumbai which serves more than 250 customers worldwide, has to meet several regulatory and contractual requirements of its clients as well as information protection mandates. To deal with these issues, WNS recently implemented a comprehensive Security Incident and Event Management (SIEM) tool
Requires Free Membership to View
at its security operations center for the
effective management of logs and security incidents.The need to meet its clients' contractual and regulatory requirements was the prime reason for WNS' SIEM tool adoption. "The retention of logs for a specific period is crucial from the
historical evidence perspective. We are talking about the
40 terabytes/year of storage required to store security logs for critical systems and network
infrastructure for a company of our size" says Arup
Chatterjee, the chief information security officer of WNS. Earlier, the company used an Syslog
based log management for firewalls and routers, while a SMB Windows log management tool was used
for Microsoft Active Directory. However, the company soon realized that these tools could not
handle a log volume of 4,000 to 7,000 events per second (EPS). WNS runs 21 different sites
(security infrastructure) which consist of domain controllers, firewalls, antivirus, Active
Directory and IPS, and which called for an intelligent and high-powered log management tool.
"The consolidation of events from all these different sources under one umbrella was necessary for
real-time visualization of attacks taking place in our environment. We wanted visibility into both
internal and external attacks," says Chatterjee. The mere collection and storage of logs wasn't
enough for WNS; it also wanted to get actionable intelligence from real-time analysis of these
logs. This was possible only througha
full-fledged SIEM tool.
WNS has 21,000 employees accessing multiple applications, all of which are integrated with Active
Directory setups for authentication. Real-time visibility and understanding of user activity were
also key reasons for adoption
of the SIEM solution, explains Chatterjee.
Search for the right SIEM tool
Chatterjee took more than a year to research and identify the right product since massive
investments were required to set up an SIEM platform. Centralized log collection from remote
locations with minimal use of bandwidth, the capacity and scale to deal with high volumes of data
(ranging between 4000-7000 EPS), and the intelligence for generating humanly-interpretable log
information were some of the top
criteria for the SIEM tool's selection. Although the market offered several SIEM tools,
Chatterjee shortlisted only three solutions (RSA Envision, NetForensics and ArcSight) after his
research. WNS finally decided to go in for ArcSight's SIEM tool due to its ability to handle large
log volumes and also because it offered intelligence beyond other product suites.
WNS has gone in for a hardware-based SIEM solution from ArcSight. The company has adopted a
combination of two solutions (servers), ArcSight Logger and ArcSight Enterprise Security Manager
(ESM).
ArcSight Logger can hold up to 40 TB of logs with a 6.4 TB storage box and a 10:1 log compression
capacity. Logger mainly stores and provides real-time logs in Common Event Format (CEF). This
server box receives data from remote log collectors. These collectors mainly perform log
normalization and compression, and thus save a significant amount of production bandwidth. The
Logger covers almost 80% of WNS infrastructure, which includes firewalls, IPS, antivirus (AV) and
Active Directory setup. WNS currently generates logs at the rate of 25 GB per day.
After the event enters Logger, it is forwarded to ArcSight ESM, which mainly provides intelligence
through event correlation and analysis. ESM can sift through millions of log records to find
critical incidents. These incidents are then presented by the SIEM tool using real-time dashboards,
notifications or reports to the security administrator. The real-time dashboard allows
administrators to surf through various categories including AV, IPS, firewalls and proxies. The
SIEM solution provides a real-time view of current connections, websites being accessed, worm
activity (from AV and IPS correlation), systems getting attacked by viruses, Windows events
(account creation, account deletion, etc), users having the maximum log-in failures, top attacks by
GEO locations, and potential reconnaissance activities.
Chatterjee added that this solution even allows us to visualize each attack with a corresponding
flag of the country of origin or look up the originating location with a simple integration with
Google Earth.
The implementation took about 3 months. According to Chatterjee product selection was the foremost
challenge of SIEM implementation followed by the learning curve and setting the system with minimal
impact on network and resource utilization during the log collection process.
Benefits galore
The new SIEM tool has helped WNS to keep a strict watch for external threats such as bots and
worms, and internal risks (such as fraud and theft). Chatterjee also gives an example of how the
SIEM implementation helps WNS to maintain high productivity. "In a BPO environment, people do not
get too many breaks. As a result, people intentionally lock their accounts at times to buy
downtime. SIEM tool has the capability to give notification of top users whose accounts get locked
up frequently, which helps you to identify patterns of individual behavior and define process level
controls to minimize such occurrences."
WNS now intends to integrate its physical access control
system with its SIEM tool to give the company a combined view of the physical and logical
control systems and user access to the premises and IT components and all events related to a
particular individual can be polled almost real time.