New System Promises to Help FAA Detect, Respond to Threats

Computerworld - The Federal Aviation Administration has just finished installing a security event management system designed to help the agency better detect and respond to external and internal threats.

The FAA will use forensic analysis of data from multiple sources for investigating terrorist activity.

The new FAA system is based on ArcSight Inc.'s Enterprise Security Management (ESM) software, which allows users to centrally monitor, collect and analyze information from multiple network security devices, including intrusion-detection systems and firewalls.
The system is part of a broader FAA effort initiated after the 2001 terrorist attacks to bolster its network defenses and incident-response capabilities, according to Michael Brown, director of the Office of Information Systems Security at the FAA.
"We were looking for a way to manage the large volume of information coming from multiple [network] sources [and] do a lot of correlation and data reduction," he said. Brown said the agency hopes the new system can help it manage the large amount of information generated by security systems.
ArcSight's ESM, like other products in its class from vendors such as netForensics Inc., NetIQ Corp. and Intellitactics Inc., is designed to quickly sift through the torrent of data generated by multiple security devices and to focus on the most important information.
A Million Alerts Per Day
At the FAA, for instance, fire-walls, system log files, vulnerability scanners and intrusion-detection systems can together generate more than 1 million alerts per day -- only a very small fraction of which merit any follow-up, according to Brown.
"At the end of the day, after all the analysis has been done, we are looking at roughly 15 to 20 [important] alerts," he said.
Apart from transforming raw event data into usable intelligence for security and network administrators, security event management tools such as those from Cupertino, Calif.-based ArcSight can be useful for forensic analysis after a terrorist attack, Brown said.
Like other agencies, the FAA -- which is part of the U.S. Department of Transportation -- is subject to audits by the Government Accountability Office and is required to implement strong incident-response capabilities under the Federal Information Security Management Act.
The new event management capability will allow the FAA to create an auditable security infrastructure to demonstrate compliance with such requirements, Brown said.

Read more about security in Computerworld's Security Knowledge Center.