How ALPS Advisors found its log management groove

May 31, 2011 — CSO — Log management is a vital piece of compliance. Here's how one mutual fund administration company figured out the best approach.

To continue reading, register here to become an Insider

May 31, 2011 — CSO —

ALPS Advisors Inc. is a mutual fund administration company with headquarters in Denver and offices in Boston, New York and Seattle. The firm manages more than $1.5 billion in assets and provides a suite of asset servicing and gathering solutions to more than 200 clients in the investment management industry.

ALPS' online portal provides backend mutual fund processing, accounting, transactions and compliance for its customers. To protect its own IT assets as well as those of its clients against targeted attacks, the firm must continuously monitor activity across its two data centers. In addition, as a financial services firm, ALPS is required to do such monitoring to remain in compliance with the GrammLeachBliley Act.

The monitoring activity includes system logs, network traffic and Dynamic Host Configuration Protocol (DHCP) logs from servers throughout the company, as well as logs from firewalls and a custom application through which ALPS provides the mutual fund backend processing to customers via the Internet.

Also see "Log management basics"

"Monitoring logs for this application is particularly critical, since it's our primary platform for providing services," says Pete Blood, IT security professional at ALPS. "Our customers rely on the application to access important data. With our previous log monitoring system, it was difficult to maintain and pull logs back into the system from the archive. Performing historical reviews was particularly challenging."

The firm researched various methods and technologies for monitoring multiple logs, and in 2010 deployed a platform from LogRhythm. The technology uncovers evidence of security problems in logs, including intrusions, fraud, insider threats, zero-day attacks and other suspicious activity that the firm might otherwise not notice.

Blood says the LogRhythm platform has made it easy for the firm to investigate log activity to find bad login attempts, multiple user IDs from the same IP address, and symptoms that indicate someone is trying to get into the system. It allows the company to collect and report on daily log activity. "We currently maintain log archives on the LogRhythm appliance but will eventually move these onto network attached storage (NAS) for historical reporting," he says.

Read more about network security in CSOonline's Network Security section.

Other stories by Bob Violino