As a top ranked university in the Middle East, KFUPM must ensure the integrity of its network while also allowing appropriate access to information, all the time managing a complex and heterogeneous IT environment with a dynamic, technologically advanced student population.
KFUPM realised it needed a fully featured information security monitoring platform for proactively indentifying and remediating any security threats before they could be exploited by internal or external sources. In other words, being able to see clearly what was happening across all network systems and devices in real time was paramount to effectively prevent sophisticated cybersecurity breaches.
In particular, it was concerned about the effects of malware on its network. The Conficker worm, which in 2009 spread rapidly into one of the largest worm infections in history, attacked more than seven million computers in over 200 countries. The worm was unusually difficult to counter because of its combined use of many advanced malware techniques.
“Right around the time we identified the need for more accurate and complete visibility into our network, the Conficker worm began spreading worldwide,” says Mir Ahmed Ali Shajee, Technical Manager of Security for KFUPM. “We absolutely needed to guard against that type of cyberthreat and any others that could manifest.”
KFUPM investigated options for intelligently correlating network events and gaining the visibility it needed to protect the university’s critical systems and reputation. Based on extensive analysis and an internally developed proof of concept, it selected ArcSight ESM. “We didn’t go through an extensive effort to settle on the second-best option,” explains Shajee. “ArcSight ESM is simply the best SIEM solution on the market and provides all the automation and features we could hope for.”
I(TS)² (IT Security Training & Solutions), an ArcSight partner, was involved early on in the selection process. I(TS)² is a premier provider of integrated security solutions, security consulting services, security training and certification curriculum, and managed security services – its unrivaled regional knowledge along with the market-leading ArcSight SIEM solution was a winning combination.
As a top ranked university in the Middle East, KFUPM must ensure the integrity of its network |
ArcSight ESM provides a single management platform that monitors all events across the organisation and uses powerful correlation and analysis to identify cyberthreats. KFUPM integrated ArcSight ESM with their existing intrusion prevention system, vulnerability scanner, firewalls, proxy servers, Active Directory domain controllers and end point security suites. Its real-time event management provides accurate, automated prioritisation and useful data that can be leveraged in security risk mitigation. As a result, KFUPM can now respond immediately to suspicious activity and take corrective action before it manifests into a more serious situation.
As part of the ArcSight ESM deployment process, I(TS)² helped KFUPM identify its key assets so that risk prioritisation could aid in identifying only the real threats that needed attention. Earlier, security staff at KFUPM reviewed logs manually – a time-consuming task. And they had to make some judgment calls, as the volume of events was staggeringly high. For example, Shajee and his team configured the firewalls very tightly and would regularly audit them, but forego the task of reviewing the logs in real time. It also was not easy to pinpoint issues by reviewing syslogs. Now, with ArcSight ESM, KFUPM security specialists can quickly put their fingers on any potential cyberthreats or anomalies that need attention.
“ArcSight ESM shows us prioritised articulation of security events; the way it automates is very impressive,” he says. “We can now pinpoint any events that diverge from our security policy and remedy them with very little effort.”
In particular, he likes the ability to create event graphs on an ad hoc basis for viewing and identifying patterns of suspicious activity. It was through an event graph that Shajee was alerted to the magnitude and spread of the Conficker worm and its evasive activities. He was then able to isolate the problem and remediate it before the university’s critical assets were compromised.
ArcSight ESM real-time security monitoring also provides KFUPM with the ability to protect the confidentiality, integrity and availability of their networks, systems and applications. Logs from the university’s Cisco firewalls had been generating events that were policy violations; they were of course denied and presented no real threat. But what KFUPM didn’t focus on earlier was how those attempts impacted the computer network. “From our proof of concept we were able to identify certain machines, dumb terminals, that had become infected and were spreading malware across the network,” explains Shajee. “With ArcSight ESM, we were able to capture the problems and remediate the systems, which improved the performance and reliability of our network.”