Northampton County Leverages LogRhythm SmartResponse to Streamline Security Operations
Northampton County, Pennsylvania, has outsourced its IT operations to Conduent, formerly known as Xerox, since 1979—making for one of the longest-running managed services agreements in the United States. But a lot has changed since the late 1970s. A new generation of security threats has arisen. Northampton County’s IT infrastructure has evolved to include over 180 servers, 100+ network devices and several hundred security cameras. There are also evolving regulatory policies, such as HIPAA, that have increased the stakes of IT Security for all county government agencies like the ones Conduent supports.
With only one and a half personnel dedicated to safeguarding the network and 2,200+ county employees, the Conduent security team’s resources are limited. But with LogRhythm, the Conduent team is able to cope with current security threats, and they are able to continually evolve to meet future challenges.
The Business Challenge
Inadequate Visibility and Availability of Resources
As a third party responsible for the IT operations of all government agencies in Northampton County, Conduent has a purview that runs the gamut from servers, to networking, to storage. As a result, the security threats facing the organization take many forms.
Prior to adopting LogRhythm, the organization’s small IT security staff relied on manual processes, such as periodic reviews of firewall rules and device logs, to identify and address threats. This approach stretched the organization’s staff too thin, leaving significant gaps in the review and response process. The lack of visibility into the infrastructure also made it difficult for the team to secure the sensitive data of the agencies Conduent was responsible for protecting. The data of county agencies (e.g., a nursing home and Human Services Department that are subject to HIPAA compliance requirements, the District Attorney’s office that retains private electronic data related to court cases and numerous others) needed to be adequately monitored and safeguarded.
Flexibility and Visibility
Northampton County considered several security products before choosing LogRhythm as a partner. Candidates included Splunk and AlienVault. But LogRhythm proved most appealing because of its rigorous support for scripting, its ability to provide a single point of reference for assessing and responding to threats, and the high level of automation it delivered.
“One thing that struck me about LogRhythm was the statement, ‘if it can be scripted, it can be done,” said Bob Mace, senior information security analyst at Conduent. Bob heads IT security operations for Conduent in Northampton County. For Bob Mace’s small team, LogRhythm’s scripting support makes it possible to configure firewalls and manage security events in a way that is customizable and granular.
Results were immediate when Conduent Northampton County first deployed the LogRhythm Security Intelligence and Analytics Platform, in 2012. “The second day of deployment with LogRhythm yielded benefits,” according to Bob. “We were able to correlate internet activity and logon attempts with a brute-force attempt that our current cobbled-together reporting solution could not show us. It was immediately and visually apparent that someone was knocking at the door.”
Bob added that, during the first days of use, LogRhythm and its advanced rule sets also revealed malware running on a network host, which the organization’s antivirus software had missed. In addition, LogRhythm identified several workstations that a third-party vendor had added to the county’s network without the IT team’s knowledge—creating a potential attack vector and violating County Information Security Policy.
LogRhythm’s privileged user monitoring became another standout feature for Bob’s team as they continued working with the platform. There are a number of highly sensitive and critical areas of the file system that must be protected, monitored and audited. Two of the most critical include the Children Youth and Families Division and the District Attorney’s office.
Privileged user monitoring allows Conduent to track who accesses or attempts to access the files within these units. If a user without the requisite privileges attempts to open protected files, LogRhythm immediately alerts key administrators of the incident, as well as provides the accompanying incident data to facilitate immediate investigation. This monitoring feature ensures that the proper checks and balances are in place to protect highly sensitive information.
Bob’s team benefits as well by using LogRhythm as a single point of contact for managing security monitoring tools and operations across Northampton County’s infrastructure. From application and system logs, to access control data and firewall statistics, LogRhythm provides the organization with a centralized hub for analyzing and responding to threats. “We feed absolutely everything we can to the LogRhythm appliance,” Bob said.
Efficiency Through Automation
Bob’s team also leveraged LogRhythm’s automation features to multiply the effectiveness of its limited staff resources. “The automation processes are one of the top benefits we found,” Bob said, referring to LogRhythm’s SmartResponse™ feature. By not only identifying security issues, but also resolving them automatically, SmartResponse saves the team from the time-consuming task of addressing security risks manually. According to Bob, “We’ve been able to move away from break/fix on the security side. We’re not waiting for things to happen. We are now able to go out and proactively look for threats.”
SmartResponse has also helped to reduce the volume of attempted intrusions against the Northampton County network. For instance, SQL injection attacks have decreased by about 90 percent in the time Conduent has been using LogRhythm. Bob attributes the improvement to LogRhythm’s ability to detect and block attacks against the county’s network quickly, leading attackers to remove the county’s hosts from their lists of targets.
Using NetMon and Advanced Correlation to Strengthen Defenses
Since first adopting LogRhythm in 2012, Northampton County has expanded its implementation to include the AI Engine, as well as two network monitor appliances. The latter resources have helped to address compliance requirements related to HIPAA at the county-owned nursing home and in the County’s Department of Human Services building, according to Bob.
Going forward, the county plans to upgrade appliances and expand LogRhythm’s AI Engine to assure PCI compliance, which Bob identifies as a growing challenge for the county. The enhanced tool set will help to establish a baseline for normal network activity and add another layer of monitoring and detection capabilities.