How BlueScope’s CSO saved big with an open-source global security operations centre
Written by David Braue: CSO 2015: The cost of security-monitoring tools often puts them out of the reach of small and resource-challenged companies – but cost has been no obstacle for steel giant BlueScope’s CSO, who has overseen implementation of an open-source alternative that’s providing global, real-time security monitoring while saving hundreds of thousands of dollars in the process.
The idea for the project grew out of one of BlueScope’s regular pen testing exercises, which it has long conducted at regular intervals with ethical-hacking firm Kustodian. David Johnston, BlueScope’s group manager for information services and cyber security, told CSO Australia that he had long wanted to build a centralised security operations centre (SOC) but found commercial security-intelligence options were expensive and over-prescriptive.
“I was keen to ensure that we had continuous monitoring and alerting capabilities, but BlueScope has had a pretty tough few years and we were quite challenged in terms of costs,” Johnston explains. “Looking at the marketplace, software costs are in the hundreds of thousands. By the time you get a project team in to do the integration, it’s usually $1m plus.”
Conversations with Kustodian CEO Chris Rock led Johnston to consider other ways that BlueScope might be able to introduce real-time security monitoring. The conversation turned to open-source options, and Rock suggested that the ELK stack – a software bundle from Elasticsearch Inc combining Elasticsearch analytics, Logstash data-processing and Kibana visualisation tools – would deliver the capabilities BlueScope was looking for at a fraction of the cost.
Over the course of a 3-month trial period during the quiet holiday 2014 period, it became clear that the ELK system was exactly what BlueScope was looking for.
“It was beyond our expectations in terms of just how well and how smoothly the trial went,” Johnston says, noting that the tools provided real-time visibility of the company’s entire network environment and allowed administrators to set thresholds and flags for specific actions.
These actions are based around very clear business rules: if an employee’s account is accessed from two different countries within the space of minutes, for example, security administrators get an email and SMS notification. Ditto if a user’s password is entered incorrectly too many times, if particular network parameters exceed a set threshold, or if antivirus or other security-scanning tools throw up telltale signs of an impending attack.
“We had always wanted to do this,” Johnston says. “It’s all about the visibility of the data, and being able to action it.”
With strong pilot-testing results in hand, Johnston went to the BlueScope executive – which, he says, has been showing “a growing awareness from the management and board about the threat of cybersecurity” – for approval to roll out the platform at a much broader scale.
There was some concern about the impact that the platform would have on network bandwidth and usability, but these concerns were quickly addressed and in the end there were “not too many people pushing back”, Johnston said.
Securing corporate approval “was really a case of pointing out that any sort of pen testing is only a point-in-time security assessment. Given the way the world is going and the way the threat landscape looks these days, it really is important to have that realtime view of what’s going on.”
The first few months of the year saw the BlueScope and Kustodian team – comprising just six people – work together to expand the solution and roll it into production across BlueScope’s environment. This was no small task considering that BlueScope has 16,000 employees spread across more than 100 locations in 17 countries across Australasia, North America, and Asia.
The SOC has been live since April and is smoothly processing around 350,000 events per hour from all across BlueScope’s network, Rock told CSO Australia. Data is fitered and made available to users in real time, with around 2TB of processed data expected to be produced and archived every year.
The production environment is built on Ubuntu Linux servers and leverages Amazon Web Services’ Elastic Cloud 2 (EC2) and Simple Storage Service (S3) to scale its virtual-server and data-storage infrastructures with demand. The solution was initially designed to store around 12 months’ data onsite, with an additional 12 months’ data archived and a further 12 months’ data potentially being offloaded to Amazon’s Glacier at-rest storage service for later recall as needed.
A major part of the smooth rollout was the fact that Johnston always had a clear vision of what he needed the SOC to do, Rock notes: “He had clear case studies of what he wanted, and it was just a matter of whether we could or couldn’t do it with the technology. When we got our heads deep into the ELK Stack, we realised we could do anything – it’s just a matter of how you were going to implement it.”
The open-source design of the ELK stack environment allowed the team to integrate a broad range of systems relatively easily. In a heavily industrialised production environment like BlueScope’s, this design allowed the SOC to not only monitor conventional IT components like payroll systems and networked devices, but to also keep an eye on industrial-control systems attached to steel furnaces, paint guns, and the like.
Support through the open-source community has also been a plus, with the team actively participating in online communities to share experiences and learn from others working in the same space.
Even the designers of the original ELK solution “have been talking with us and learning from some of the things we’ve done,” Johnston says. “Open-source communities that are thriving and vibrant are always a fantastic environment for sharing ideas.”
Despite the size of BlueScope’s organisation, Rock says the deployment is relatively small compared to other ELK Stack use cases, and easy to support with a few virtual servers: “ELK was designed with Hadoop and Flume and all these other things in mind and has a huge ceiling,” he says. “We’re never going to hit any scalability problems in this environment.”
Intervening months have seen the open-source SOC going from strength to strength, providing visibility of significant activities as they happen.
“You get trending over a period of time, and can look at trends and see anomalies or patterns appearing,” Johnston says. “You can see when someone is trying to brute-force a Web site, or when someone is trying to probe one of your external Web-facing devices. I’ve just got a lot more confidence in terms of being able to see what’s going on.”
The system has also provided an historical data set that can be correlated with current activities to foster invaluable reporting on organisational performance.
Increasingly relevant reporting has seen Kustodian become more proactive in keeping the BlueScope team updated about current usage, with live dashboards keeping all staff updated in real time and increasingly regular emailed alerts and reports providing ongoing summary data.
“The biggest thing for us is that we can now put together league tables,” Johnston says. “There are parts of the business where [security practices] are a bit tawdry. This is an opportunity, without naming individuals, to show trends in the business so we can encourage them to do something about it.”
Months down the track, the open-source solution has not only proven to be a “very cost-effective” option for BlueScope, but has delivered a key platform that will deliver enhanced seurity governance capabilities now and into the future.
As a CSO, “the key for me is trying to reduce the amount of risk the organisation faces on a daily basis,” Johnston says. “From that perspective alone, it has been well worth the journey.”