Rolling out a new breed of tools that capture information from IT security logs can be a daunting task for corporate users, who may need to bulk up their systems and storage devices to handle the torrents of data that can be generated.
But MasterCard International has survived the deployment process and is seeing big gains in efficiency among its security staffers, according to Malcolm McWhinnie, the company's information security technology head.
Last April, MasterCard installed Sentinel, a security information management tool from e-Security, on its mainframe and distributed servers and on hundreds of network devices at its data center in O'Fallon, Mo. The goal, McWhinnie said last week, was to simplify security event management procedures that were previously handled by custom-built tools, which required a great deal of maintenance and had limited scalability.
McWhinnie hasn't done a formal calculation of return on investment. But, he said, "my people are spending much more time drilling into the security events they see and much less time managing the tool and taking action on that."
Sentinel collects and evaluates "millions and millions" of security-related logs daily, helping MasterCard's security workers by eliminating things such as false-positive reports, McWhinnie said. It took only three months to implement the software, but he noted that a large amount of "grunt and groan" work was required to tune the tool so it would report only actionable security events and avoid passing on too much irrelevant data.
Because of such challenges, MasterCard's early success is a rarity among large SIM rollouts, said George Hamilton, an analyst at Boston-based Yankee Group Research Inc. who is familiar with the credit card company's project.
Hamilton said SIM tools began attracting a lot of attention last year, partly because of reporting requirements imposed by regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. But he added that the software can be a "nightmare" to manage, "with thousands of event logs being reported per second" from servers, firewalls intrusion-protection and -detection systems and other components.
In addition, many users haven't been prepared for the increased need for storage hardware, servers and database administrators that SIM implementations can impose, Hamilton said.
Although MasterCard did add an unspecified number of servers and storage devices as part of the Sentinel rollout, it didn't need to increase its database administration staff, McWhinnie said. He added that the Purchase, N.Y.-based company set a detailed "escalation plan" for dealing with the data generated by the tool.
MasterCard's prior experiences with its own tools helped to simplify resource planning, McWhinnie said. "Data explosion was not a problem, because we foresaw it and dealt with it upfront," he said. "We already knew where some of the pitfalls would be and went into this with very open eyes."
McWhinnie declined to disclose the SIM rollout's cost, describing it only as a medium-size IT project for MasterCard. He also wouldn't identify the other products his team evaluated before choosing Sentinel.
Officials at Vienna, Va.-based e-Security said the Sentinel server software costs $US89,000 with support for 20 devices. There is an additional cost of $US300 to $US700 per network or security device.