How BlueScope's CSO saved big with an open-source global security operations centre

The cost of security-monitoring tools often puts them out of the reach of small and resource-challenged companies – but cost has been no obstacle for steel giant BlueScope's CSO, who has overseen implementation of an open-source alternative that's providing global, real-time security monitoring while saving hundreds of thousands of dollars in the process.

The idea for the project grew out of one of BlueScope's regular pen testing exercises, which it has long conducted at regular intervals with ethical-hacking firm Kustodian. David Johnston, BlueScope's group manager for information services and cyber security, told CSO Australia that he had long wanted to build a centralised security operations centre (SOC) but found commercial security-intelligence options were expensive and over-prescriptive.

“I was keen to ensure that we had continuous monitoring and alerting capabilities, but BlueScope has had a pretty tough few years and we were quite challenged in terms of costs,” Johnston explains. “Looking at the marketplace, software costs are in the hundreds of thousands. By the time you get a project team in to do the integration, it's usually $1m plus.”

Conversations with Kustodian CEO Chris Rock led Johnston to consider other ways that BlueScope might be able to introduce real-time security monitoring. The conversation turned to open-source options, and Rock suggested that the ELK stack – a software bundle from Elasticsearch Inc combining Elasticsearch analytics, Logstash data-processing and Kibana visualisation tools – would deliver the capabilities BlueScope was looking for at a fraction of the cost.

The timing of the suggestion was “fortuitous” as the ELK stack was relatively new, Johnston says, and Kustodian had recently used it to build open-source security-monitoring environments for clients in the Middle East.

Over the course of a 3-month trial period during the quiet holiday 2014 period, it became clear that the ELK system was exactly what BlueScope was looking for.

“It was beyond our expectations in terms of just how well and how smoothly the trial went,” Johnston says, noting that the tools provided real-time visibility of the company's entire network environment and allowed administrators to set thresholds and flags for specific actions.

These actions are based around very clear business rules: if an employee's account is accessed from two different countries within the space of minutes, for example, security administrators get an email and SMS notification. Ditto if a user's password is entered incorrectly too many times, if particular network parameters exceed a set threshold, or if antivirus or other security-scanning tools throw up telltale signs of an impending attack.

“We had always wanted to do this,” Johnston says. “It's all about the visibility of the data, and being able to action it.”

The global, open-source SOC

With strong pilot-testing results in hand, Johnston went to the BlueScope executive – which, he says, has been showing “a growing awareness from the management and board about the threat of cybersecurity” – for approval to roll out the platform at a much broader scale.

There was some concern about the impact that the platform would have on network bandwidth and usability, but these concerns were quickly addressed and in the end there were “not too many people pushing back”, Johnston said.

Securing corporate approval “was really a case of pointing out that any sort of pen testing is only a point-in-time security assessment. Given the way the world is going and the way the threat landscape looks these days, it really is important to have that realtime view of what's going on.”

The first few months of the year saw the BlueScope and Kustodian team – comprising just six people – work together to expand the solution and roll it into production across BlueScope's environment. This was no small task considering that BlueScope has 16,000 employees spread across more than 100 locations in 17 countries across Australasia, North America, and Asia.

The SOC has been live since April and is smoothly processing around 350,000 events per hour from all across BlueScope's network, Rock told CSO Australia. Data is fitered and made available to users in real time, with around 2TB of processed data expected to be produced and archived every year.

The production environment is built on Ubuntu Linux servers and leverages Amazon Web Services' Elastic Cloud 2 (EC2) and Simple Storage Service (S3) to scale its virtual-server and data-storage infrastructures with demand. The solution was initially designed to store around 12 months' data onsite, with an additional 12 months' data archived and a further 12 months' data potentially being offloaded to Amazon's Glacier at-rest storage service for later recall as needed.

A major part of the smooth rollout was the fact that Johnston always had a clear vision of what he needed the SOC to do, Rock notes: “He had clear case studies of what he wanted, and it was just a matter of whether we could or couldn't do it with the technology. When we got our heads deep into the ELK Stack, we realised we could do anything – it's just a matter of how you were going to implement it.”

Read more: Cybersecurity careers suffering brand-recognition problems amongst young Australians

The open-source design of the ELK stack environment allowed the team to integrate a broad range of systems relatively easily. In a heavily industrialised production environment like BlueScope's, this design allowed the SOC to not only monitor conventional IT components like payroll systems and networked devices, but to also keep an eye on industrial-control systems attached to steel furnaces, paint guns, and the like.

Support through the open-source community has also been a plus, with the team actively participating in online communities to share experiences and learn from others working in the same space.

Even the designers of the original ELK solution “have been talking with us and learning from some of the things we've done,” Johnston says. “Open-source communities that are thriving and vibrant are always a fantastic environment for sharing ideas.”

Despite the size of BlueScope's organisation, Rock says the deployment is relatively small compared to other ELK Stack use cases, and easy to support with a few virtual servers: “ELK was designed with Hadoop and Flume and all these other things in mind and has a huge ceiling,” he says. “We're never going to hit any scalability problems in this environment.”

Read more: ACMA: 215 million threats lurk on Australian networks

A new enterprise view

Intervening months have seen the open-source SOC going from strength to strength, providing visibility of significant activities as they happen.

“You get trending over a period of time, and can look at trends and see anomalies or patterns appearing,” Johnston says. “You can see when someone is trying to brute-force a Web site, or when someone is trying to probe one of your external Web-facing devices. I've just got a lot more confidence in terms of being able to see what's going on.”

The system has also provided an historical data set that can be correlated with current activities to foster invaluable reporting on organisational performance.

Read more: The week in security: Building the open-source SOC; 215m Aussie malware hits last year

Increasingly relevant reporting has seen Kustodian become more proactive in keeping the BlueScope team updated about current usage, with live dashboards keeping all staff updated in real time and increasingly regular emailed alerts and reports providing ongoing summary data.

“The biggest thing for us is that we can now put together league tables,” Johnston says. “There are parts of the business where [security practices] are a bit tawdry. This is an opportunity, without naming individuals, to show trends in the business so we can encourage them to do something about it.”

Months down the track, the open-source solution has not only proven to be a “very cost-effective” option for BlueScope, but has delivered a key platform that will deliver enhanced seurity governance capabilities now and into the future.

As a CSO, “the key for me is trying to reduce the amount of risk the organisation faces on a daily basis,” Johnston says. “From that perspective alone, it has been well worth the journey.”

Join the CSO newsletter!

Error: Please check your email address.

Tags BlueScopesecurity operationsDavid JohnstonSecurity operations centre (SOC)CSO Australia

More about Amazon Web ServicesCSOLinuxRockUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place