U.S. Navy

Success Story

Novell helps U.S. Navy protect its information assets. Comprehensive View of Security Environment Enables Real-time Detection and Response

Overview

The U.S. Navy Computer Incident Response Team (NAVCIRT) is responsible for analyzing and presenting information to its commanders, analysts, and operators. Its primary mission is to provide a comprehensive view of network conditions and to monitor enterprise information across the Navy.

Challenge

Due to an increasing volume of attacks to its network and a decentralized security infrastructure, NAVCIRT faced critical information assets at risk. Log volumes continued to grow at exponential rates, and NAVCIRT was grappling with manual processes, disparate data sources, and antiquated systems—leaving it without a comprehensive view of its network conditions.

There was a need to effectively enable identification of hostile sources, review audit logs, and manage traffic flow so it could focus on real threats and ensure protection of its critical systems. NAVCIRT sought a solution that delivered the capability to detect, analyze, and respond to events in a timely manner through automated processes and centralized monitoring activities.

Novell solution

NAVCIRT selected Novell for its technology and in-depth domain expertise. As a pioneer of the enterprise security management (ESM) market, Novell offered a market-leading software solution that was customizable, flexible, and scalable. It also had the largest installed base of ESM customers—providing proven solutions and the strategic know-how and experience to address NAVCIRT's challenges and goals.

The project, dubbed "Mobius," was delivered as a proof-of-concept to enable NAVCIRT to experience the capabilities of a powerful, robust solution that would drastically improve performance through standard security operations and historical reporting and data mining capabilities.

Standard Security Operations
After analyzing NAVCIRT's environment and requirements, Novell implemented a single integrated solution for real-time security monitoring and incident remediation—enabling an effective way to centralize and track security incident management. The solution monitors NAVCIRT's 100+ source devices and can handle tens of millions of events per day in real-time volume from collection, correlation, and through to reporting.

Using a rule-based, memory resident correlation engine, Novell helps monitor network and application activity to identify patterns of events that might be attacks, intrusions, policy violations, system misuse or failure. Novell provides NAVCIRT with a comprehensive view by eliminating the need for multiple interfaces from firewalls, intrusion detection systems, and other monitors. With Novell, NAVCIRT can analyze information and distinguish real threats from the immense volume of reports and data sources.

Historical Reporting and Data Mining
The Novell solution not only provides NAVCIRT with immediate incident detection but also provides detailed access to historical data mining for low-and-slow attack investigation and remediation. Partnering with SAS for its data warehousing capabilities, Novell delivered a solution that enables NAVCIRT to look at all its security events and more effectively monitor the extent of its environment.

Novell integrated historical data with other data sources to investigate longer-term relationships, data mining, and historical analysis; it also performed a data transfer setup to enable NAVCIRT to archive information to its databases. This ability to analyze data trends enables a proactive approach before real threats occur—leading to improved risk management, and ultimately, better execution of its core mission-critical responsibilities.

Results

Having partnered with Novell, NAVCIRT has the ability to resolve events and mitigate risks of losing valuable data while accessing a comprehensive view of network conditions. It leverages a 24/7 watch team that uses the Novell console to monitor all events across the enterprise in real time—ensuring that its networks are secure and protected. Key benefits include:

• Integrated, centralized incident tracking
• Faster resolution time
• Increased awareness of real incidents
• Increased protection of information assets
• Improved efficiency and performance
• Detailed access to historical data mining for low-and-slow attacks
• Simplified staffing initiatives