Career Education Corp. gets smart on IT security

IDG News Service — Mon, 26 Nov 2007 08:49:09 -0800

By Denise Dubie, IDG News Service

When Michael Gabriel joined Career Education Corp. in February 2004, he knew he needed a business case to justify an overhaul to the educational services company's information security program. Looming Sarbanes-Oxley Act (SOX) compliance deadlines provided just that for the CISO, but that initiative was only the start of a thorough security management program that continues to this day.

CEC, in Hoffman Estates, Ill., had grown tremendously over the previous five years, becoming what in 2004 was a US$1.7 billion company. Following this boom, it needed to formalize controls and get a handle on its security infrastructure to enable uninterrupted growth going forward, he says.

"The immediate need was [SOX], but when I did further analysis . . . the remediation projects that needed to get done ran the gamut from security policy to change-control to incident-response awareness and security monitoring," Gabriel says.

CEC earns its place among the 2007 Enterprise All-Stars for its smart adoption and implementation of security information management (SIM) technology. With netForensics' nFX Open Security Platform (OSP) Version 3.4 software, CEC automates security and other logs from some 10 firewalls, 10 prevention systems, 12 domain controllers and all Cisco devices. In addition, by integrating Rippletech's RippleTech Informant Version 1.0 into the netForensics rollout, Gabriel can collect logs from six Microsoft databases. No software on the actual data source is required.

Among the many benefits of CEC's estimated $400,000 investment are SOX compliance and comprehensive reporting, combined external and internal threat management, improved security-threat response time, and increased ROI on IT resources. CEC invested $100,000 to $200,000 initially in the security-management software and plans to add another $100,000 to $200,000 later this year to augment the project and expand to a second data center.

"It's hard to quantify in hard figures, but if we had not been able to use this technology we would have had to invest in a systems administrator to do this work; and from a security standpoint, we wouldn't have such visibility into our entire environment," Gabriel says.

Gabriel started at CEC during what he describes as a whirlwind. "There wasn't a lot of time to do extensive bakeoffs. I needed to get this project underway," he says.

Fortunately, Gabriel had heard from peers about SIM products from such vendors as ArcSight and netForensics. Because scalability was a top concern, he decided on netForensics, which had a proven success record in large government environments. The vendor's back-end capabilities -- large-volume data-collection and -correlation -- resonated with him. He says he would pass on a pretty GUI in favor of power on the back end any day.

It's not that netForensics, which has just added a collector for Microsoft Windows platforms to its product portfolio, didn't have a good GUI. Gabriel found the product most accurately addressed CEC's needs, especially considering the fortuitous addition of the Windows module. "We were one of the first customers for that," he says.

Building the framework

NetForensics nFX OSP applies data-aggregation and event-correlation features to event and security logs generated from firewalls, proxy servers, intrusion detection/prevention systems and antivirus software, for example. The product also works to normalize -- that is, translate -- all the data formats from Cisco, Microsoft, Check Point Software and other data sources into one common language so that they can be correlated.

The product consists of server software, agent software installed either on servers close to the devices they are monitoring or the devices themselves, and a management console. At CEC, the software runs on a mix of Microsoft Windows and Red Hat Linux servers, alongside Oracle databases.

By the fourth quarter of 2004, Gabriel was using the netForensics tool in CEC's data center, which serves as a hub for about 80 schools. There it collects security information and incidents and investigates the potential threats. Yet one thing was lacking. "We had the logs from perimeter devices and operating system logs from domain controllers, but we wanted to add the application layer," he says.

Dabbling in database log management

Incorporating logs from databases into the netForensics system was critical, Gabriel says. Yet, because the applications must deliver performance-wise, he was hesitant to place an agent on the databases. In September 2006, the netForensics team introduced Gabriel and his team to Rippletech's Informant software. The netForensics tool translates the database logs that Rippletech collects for integration and correlation, along with network, operating system and security logs.

"That was a big win for us. That let us do a lot of things that had been a challenge from an audit standpoint," Gabriel says. For instance, the software helps him better report on administrator activity within databases, a critical point in many regulatory audits. "The software can detect if someone is doing something they shouldn't. The events are held separately from the database and the domain controller, so even if someone was trying to hide their tracks, they couldn't," he says.

The Informant software installs on a server and via a network span port monitors all traffic going to and from the database servers. The product decodes protocols and builds its own set of logs and converts them to the common format netForensics can accept, then sends the logs to the netForensics management console.

By setting up rules in netForensics, Gabriel ensures that administrators don't fall out of compliance in their actions. For example, one policy dictates that only database administrators are allowed to migrate scripts into production. With the policy in place and Rippletech monitoring activities on the database, netForensics will alert Gabriel and his team whether a problem pops up. "Having the software is definitely a deterrent from people doing things they know maybe they shouldn't be doing," he says.

Now, with annual revenue of close to $1.9 billion, securing the network from internal and external threats is more critical than before -- as is keeping up with compliance, Gabriel says. In April, CEC merged its two data centers to ensure the standard use of policies across the entire corporate environment. In addition, the company is about two-thirds of the way done with an Active Directory consolidation project that will move all the schools from independent domains into one domain monitored by Gabriel and his team. The security-management implementation is one of those projects that has no firm end date, he says.

"We are always extending our ability from a security standpoint to investigate any incidents and spot activity that may be a threat. At some point, I'll explore integrating data from the physical-security devices into the security monitoring system," Gabriel says. "We have good visibility into our perimeter-, application- and system-level security today, but there is always the idea of bringing more data into the system."

The Industry Standard - Career Education Corp. gets smart on IT security - Comments

Career Education Corp. gets smart on IT security