Cleveland Indians turn to SIEM in malware, botnet battle
- 27 August, 2014 04:55
For the Cleveland Indians' IT department, dealing with malware on behalf of hundreds of Windows-using employees at the baseball team's Progressive Field data center operations can be a little bit like a pitcher facing a stacked batting line-up: a constant battle.
Using traditional anti-virus software from Sophos helps the team avoid infections, but can't keep pace with the boom in zero-day attacks.
"When an Internet user goes to a website that has spyware, the system gets infected and tries to connect to a remote-control server somewhere," says IT Director Whitney Kuszmaul. "Most anti-virus doesn't catch a lot of things out there."
The Indians upped their game about six months ago by adopting the AccelOps security information and event management (SIEM) tool for the purpose of centralizing security events related to firewalls, intrusion-detection systems and monitoring Windows applications and security logs. Since then, the IT department has expanded its use of AccelOps, which runs as a virtual appliance in the VMware-based data center, to analyze network traffic in order to pinpoint malware infections.
The AccelOps SIEM system in real-time can pin down when a desktop appears to be under a botnet's control by correlating relevant event information available from the firewall or intrusion-detection system, and can then send an alert to the IT division. Senior Network Engineer Nick Korosi says that information is used to investigate whether the user's machine is infected in order to take steps to remediate the problem immediately.
The SIEM tool is very fast in running queries, so also takes on other task such as monitoring SQL server transactions for time delays so processes can be adjusted, Kuszmaul says. In the future, AcellOps is also expected to help automate helpdesk tickets for staff.
While the SIEM product works well for employees' Windows computers, the IT group's next challenge has to do with syncing up mobile device usage and deployment policies with management so that Android and iOS devices, for example, can be brought under the SIEM umbrella.