Saudi Hollandi Bank, the first operating bank in the Kingdom of Saudi Arabia, was founded more than 80 years ago and now has 43 branches across the Kingdom. It generates hundreds of thousands of log events each day from dozens of sources, including security devices, networking equipment and databases, but faced a problem in collecting and storing them centrally.
A lack of centralised log management made it very difficult to meet for the bank to meet compliance requirements and to conduct investigations into suspicious activity on its network.
“Log management had become a real nightmare for us,” explains Ali Alotaibi, IT Security Manager at Saudi Hollandi Bank. “At one point, we even had someone on staff that was responsible for manually collecting logs from every server, but some days the job would get done and some days it would not. It was clear to everyone, including our auditors, that we were not properly reviewing our logs.”
The bank was also constrained when it came to conducting investigations and responding to potential threats. Log events are often important pieces of evidence, but the bank had trouble finding the right logs when it really needed them. That’s because log events were not properly collected and stored. Sometimes they were overwritten by a system administrator and sometimes they were simply deleted from the server.
It was clear that Saudi Hollandi Bank needed an enterprise security management solution that could better protect its critical information assets and properly manage log data across the organisation.
The bank did not have to look far for a solution. It spoke to nearly a dozen other companies in Saudi Arabia that had implemented ArcSight ESM and these organisations had only good things to say about the product. Saudi Hollandi had even seen ArcSight ESM in action at another Saudi bank and was impressed with what it saw. “We are very close to this other bank, so we got a first-hand look at ArcSight from the inside,” recalls Alotaibi. “When it came time for us to select a security management system, we knew ArcSight ESM was the best choice.”
Saudi Hollandi worked with ArcSight partner ITS• to implement the solution. From the beginning, Saudi Hollandi realised it could accomplish a great deal with ArcSight ESM without having to invest a lot of time and resources in the system. Almost immediately, the bank was able to collect all its logs within a single system and to put in place a centralised logging solution.
“A contributing reason for our success was the help we received from ArcSight partner ITS•,” says Alotaibi. “They know ArcSight inside and out but, just as importantly, they took the time to understand our specific requirements and what we wanted to achieve with the system. Yes, ArcSight is easy to implement, but ITS• made it even easier.”
The bank has seen many tangible results since deploying ArcSight ESM. The ability to automatically collect and manage information from any log source has allowed the bank to meet its regulatory compliance requirements, including internal mandates that require the review of all logs by a dedicated entity.
By collecting the logs centrally, Saudi Hollandi is also able to monitor all log events for suspicious activity and violations. The bank now has the confidence of knowing that when it needs to find a specific log event as part of an investigation or audit request, it can do so quickly and easily If, for instance, someone violates bank policy or tries to log into the network with an incorrect ID, Saudi Hollandi can now access the appropriate logs and thus gain greater insight into the incident.
The bank is also benefiting from the ability of ArcSight ESM to generate role-relevant reports for every stakeholder in the organisation. These reports are provided in the form of rotating dashboards that are viewed by senior management. The reports highlight critical pieces of information, such as the top ten Web addresses visited by people within the bank, or the top ten attempts on the corporate firewall.
“Before ArcSight, it was difficult to know in real time what was happening from an IT security and compliance perspective,” says Alotaibi. “ArcSight has quickly become a key strategic element in the safe and secure operation of our bank.”