MEI Technologies - Core Competencies

Security Data Warehouse

The Security Data Warehouse (SDW) is a Security Information Management tool that was custom developed for the IT security office of NASA’s Johnson Space Center. The tool non-intrusively aggregates and correlates data from disparate and distributed sources and maps historical events across a wide variety of network and Internet activity. It allows tracking of users across devices and networks (including dynamic environments utilizing DHCP and wireless access points), retains historical log data, and provides easy creation of ad-hoc reports. Benefits compared to other SIM tools include full application programming interface (API) access, proven reliability, significant increase in analyst productivity, increased data accuracy over time and improved situational awareness, as well as intuitive presentation of data to security analysts for faster decision making.

Prior to the development of the SDW, an excessive amount of labor was required of the JSC IT Security Office to accurately analyze the available security data from IT systems to address both situational awareness as well as forensics information. This analysis involved reviewing dozens of different data sources, all of which describe hosts in different manners. The manual correlation of this data was time-intensive and prone to error. MEI’s SDW product solved this problem by bringing automation and significant efficiency to this once manually intensive process.

MEI designed the Graphical User Interface to enable security analysts to find and display all pertinent information for a single system or many systems quickly and in a logical layout. The web-based interface allows real-time searches from multiple access points, but is focused around the concept of a host and all data related to it. A host record contains information such as NetBIOS name, operating system, tag numbers, and user-defined data such as location information, organizational owner, and security plan. Each host can have several interfaces to the network. These interfaces define what IP addresses a given computer has had and at what times. The host search page contains basic vital information for all hosts that match a search request. The results are also color coded, depending upon the reliability of the data.

Data entering the Warehouse is processed in simple script-based loaders to extract all events that show positive evidence of a host being live on the network. This data is then fed into the SDW API to be parsed and normalized. All data is validated against their appropriate specifications, with special allowances made for known deviations.

A key design feature of the SDW is an API using the Perl language that provides controlled access to an underlying relational database. The SDW host mapping algorithm has the ability to track hosts and their associated data through time. It also has the ability to correct previous, invalid mappings, thereby reducing the mapping error rate. This allows it to correlate many different pieces of security data back to individual hosts and stores historical data attributed to the host. The SDW is then able to match items like virus alerts and intrusion detection events back to a host. Information specific to a host can then be retrieved to address or mitigate an issue by identifying the user that was affected and a web page the user visited where a virus was acquired. This allows an IT security office to respond quickly to time-critical problems that could involve disconnecting a host from the network and adding firewall rules or webpage blocks. Furthermore, changes to hosts or users that use a particular host are tracked and retained. The unique aspect of this approach is the collection of historical data for each host it detects on the network.

Points of Contact
Management: Michael Van Chau, 281-283-6200
Contract Administration: meiinfo@meitechinc.com, 281-283-6200

< back