Specialty apparel retailer Express found itself in a technology quandary in 2007 when it was purchased by the private equity firm Golden Gate Capital. All of the company’s IT functions were centralized through its previous parent company, Limited Brands. After the buyout, Express had to reinvent an IT strategy and implement the necessary infrastructure.
A key component to its IT strategy was identifying and implementing a security information event management, or SIEM, solution that would automatically monitor for common exceptions such as invalid log-in attempts, intrusion attempts, malware alerts and other potentially malicious network activity. Additionally, the SIEM had to satisfy requirements for PCI compliance relative to monitoring payment card transactions.
After reviewing its options, Express began implementing a SIEM solution from LogRhythm, Boulder, Colo., in August 2009. Within days, the new system was up and running on the company’s core servers, routers and firewalls, then quickly expanded across the network. Now the SIEM also monitors all POS and back-office systems in each of the company’s 580 stores.
“It has helped us maintain a strong security posture, while also yielding a tremendous value with a pretty quick return on investment,” said Jason Luttrell, security engineer, Express, Columbus, Ohio. “Before, several full-time employees had to monitor and follow up on events. Now, we get automated alerts that enable us to quickly cut through noise in the network and focus our efforts on core issues.”
The security solution allows users to set thresholds so alerts can be generated based on requirements defined by Express. For instance, the system can issue an alert as soon as an event happens, even if it occurs just once on a single system, or it can be configured to alert when an event happens multiple times within a defined time period.
“We can set alerts however we want, but we typically define thresholds so the system doesn’t interrupt us frequently with white noise, but instead only sends critical alerts that need attention,” Luttrell explained.
However, the main driver for choosing an SIEM solution, according to Luttrell, was compliance with PCI requirements, including all of the necessary reporting. For example, one PCI requirement is to identify when an unencrypted credit card number has been viewed and by whom.
The LogRhythm SIEM generates a daily report that identifies every instance when an unencrypted credit card number has been viewed and whether the person viewing the number was authorized to do so as part of his job. If an unauthorized person is involved or if the volume is outside the norm, the SIEM automatically sends an alert of a potential intrusion so Express can quickly launch an investigation and avert widespread losses.
Luttrell noted that before the SIEM, this level of oversight and intervention would have been much more difficult; identifying who was involved and whether or not that person’s action was warranted would likely have taken days or, at the very least, hours.
Overall, the most daunting IT security challenge Express faced was monitoring its entire network, which requires that each individual log be reviewed. Now, Luttrell credits the SIEM with “having enough intelligence” to recognize when a log is likely suspicious activity. The system aggregates suspicious logs over a 24-hour period, enabling the security department to have visibility to all exceptions so they can easily assess issues and have a big-picture perspective of the total network on a daily basis.