PFF Bank & Trust Case Study Using SenSage to Complement Cisco MARS for…

PFF Bank & Trust Case Study
Using SenSage to Complement Cisco MARS for Security Information
and Event Management

PFF Bank & Trust (PFF) is one of California's oldest full service regional banks
with headquarters in Southern California since 1892 and stock traded on the New
York Stock Exchange (NYSE). PFF services over 33 of the fastest growing
counties in California and Nevada with deposits approaching $4B.

Business Driver

Like all financial institutions, PFF faces regulatory scrutiny from federal agencies
such as the Office of Thrift Supervision (OTS). Additionally, as a SEC registered
company, PFF is subject to Sarbanes-Oxley (SOX). Like all consumer financial
organizations, PFF also must insure consumer privacy mandated by Gram-
Leach-Bliley Act (GLBA).

PFF uses both internal and external auditors to insure that their security and
compliance procedures meet the guidelines required by OTS. Through as series
of OTS audits, PFF was encouraged by the auditors to implement additional
security and compliance controls by implementing intrusion detection systems
(IDS) and Log Management.

Technical Requirements

PFF realized that system and application event logs are a critical component for
investigating and prosecuting computer crimes and misuse. To detect intrusion
and security incidents, PFF required event correlation from voluminous amounts
of log data. PFF set out to detect the most common types of security incidents
including:

     ·    Attacks targeting the same (or numerous) system and application
          repeatedly
     ·    Attacks originating from the same source or IP range
     ·    System configuration changes
     ·    User account changes
     ·    File access changes

SenSage, Inc. Confidential                                                      Page 1
Internal Use Only
Like most sophisticated businesses, PFF has a heterogeneous environment
including Cisco®, Symantec®, Siemens®, Lotus NotesTM, Microsoft SQL
ServerTM, Oracle®, and outsourced banking systems from solutions providers as
Metavante®.

Each of PFF's core systems and infrastructure produces events in logs in various
formats utilizing different protocols that needed to be centralized in order to allow
them to execute on their requirements.

PFF categorized their requirements to include:

Intrusion                    Authorization        Security Changes   Network
Detection                    Failures                                Monitoring
Ability to detect in         Ability to analyze   Ability to produce Ability to detect
near real time               invalid login        reports of changes network outages,
attempts the break           attempts and         to access rights,  performance,
into or deny                 other security       account creation,  bottlenecks, etc.
service to any               authorization        account            Also needed to be
host. This needed            failures.            modification and   able to alert
to include                                        deletion.          network staff.
attempts from one
or more hosts and
alerting to network
security staff.

PFF wanted to address security problems both proactively and reactively. Events
needed to be tracked from common network protocols such as syslog and more
complex applications that required specific log adapters. PFF's goal was to
centralize log data and be able to execute a "top down, bottom up and side to
side analysis" through a central repository.


A Blended Approach Using Cisco MARS and SenSage

PFF leveraged Cisco Security Monitoring, Analysis and Response System
(MARS) to perform real time event management. MARS is an excellent tool for
detecting incidents and attacks that can be detected from syslog events. In one
case, a port scan attack executed by internal auditors was immediately detected
and automatically shut down within 30 minutes.




SenSage, Inc. Confidential                                                        Page 2
Internal Use Only
MARS is a powerful tool but only supports syslog event data which is only a
subset of the events, including application and other system events that PFF
required to meet audit requirements. Additionally, MARS by design does not hold
event data for significant periods. MARS overwrites data in a round-robin fashion
and only archives data to an external source if an additional MARS archive
appliance is licensed. At PFF, MARS event data is overwritten in 30 to 60 days
which is not adequate for audit and forensic requirements.

To meet their technical requirements met, PFF realized that they needed to
augment the functionality provided by MARS.

After evaluating several vendors, PFF chose to augment their Cisco MARS
implementation with SenSage to provide the information required to meet their
security and audit requirements.

The reasons for choosing SenSage included:

     ·    SenSage supports retrieval and storage from any log source, not just
          syslog.
     ·    SenSage correlates event records from any source giving a complete view
          of incidents and enables audit reporting.
     ·    SenSage provides long-term online event data storage. PFF has "day
          one" event records for over three years with SenSage
     ·    Speed and flexibility of reports and queries for forensic incident response
          that over long periods including years.

     Immediately PFF was able to leverage SenSage to end common policy
     problems and avert potential attacks by detecting violations such as:

     ·    Administrators granting domain administrator authority "to get things
          working" which is a clear policy violation and likely security threat.
     ·    Administrators logging in as local administrators instead of themselves,
          possibly averting accountability and another policy violation.
     ·    The addition of new users to a domain.
     ·    The addition of new devices to the network which possibly might have
          security weaknesses.
     ·    Related past events and actions by users when incidents are detected.

     PFF was also able to avoid the additional expense from purchasing the Cisco
     MARS archive function. While Cisco MARS does provide an archiving
     function at an additional cost, archived data is not available for online queries
     and correlation.




SenSage, Inc. Confidential                                                        Page 3
Internal Use Only
Business Benefit

Through the implementation of real-time event correlation and log management
from Cisco MARS and SenSage, PFF was able to pass the last OTS EDP audit.
PFF is now able to prove management of logs, allowing them to have a "window"
into all network activity to discover security problems and policy issues before
larger problems occur.

PFF now has the security infrastructure in place to cover the regulations that
affect them and also well positioned for other regulations should their business
requirements change. It is possible that PFF may change their business model
for accepting credit cards and would then fall under PCI regulations. With their
current security practices, facilitated by SenSage and Cisco MARS, PFF will
easily be able to adapt to the regulations and include credit card processing
applications with little effort.

About SenSage, Inc.
SenSage Inc., the leading provider of event data warehousing solutions, enables
the collection, analysis, and retention of event data for security, compliance and
systems management. The company offers unparalleled performance and a
scalable means for organizations to centrally aggregate, efficiently analyze,
dynamically monitor and cost-effectively store massive volumes of event data.

Based in San Francisco, CA, SenSage currently works with Global 2000
customers in financial services, government, healthcare, retail, manufacturing,
telecommunications and technology. For more
information, visit www.sensage.com.


All brand or product names are or may be trademarks of, and are used to identify products and services of, their
respective owners.




SenSage, Inc. Confidential                                                                                         Page 4
Internal Use Only