|
Data is central to any operation, no matter the size or industry. In the face of data theft, fraud or leakage, lack of strong data management can not only cost money, it can put competitors at an advantage and lead to lost market position. Take CardSystems, who recently experienced the impact of failing to protect customer data. The company was sued in a series of class action cases alleging it compromised personal data for 40 million consumers. At an individual cost of $30 per consumer, the costs of remediation approached $1.2 billion, putting the company out of business. Similarly, one Fortune 500 retailer recently paid $60 million to settle a case alleging inappropriate sharing of customer data.
Without strong data management, companies are also likely to fail compliance audits and, as a result, face serious legal repercussions. Mandates and regulations like HIPAA, SOX, PCI, the Patriot Act and Basel II require fast access to all log data and evidence of IT control and security policy enforcement. BJs, a well-known wholesaler, recently experienced the consequences of inadequate security when credit card numbers were being stolen at the register. The company had to reserve $13 million for related contingencies. As data volumes explode, our vulnerability to such risks as these increases exponentially.
Whereas risk used to be associated with protecting data from outside influences, like vendors or poorly managed information exchanges, now risk stems from many causes, including:
- Violation of internal policies by insiders
- Poor IT controls and processes that result in human error or lack of procedure
- Internal information leaks and fraud
- Network downtime resulting from system errors and unreliable network equipment
- Malicious attacks, worms or natural disasters
Although these risks persist, strong infrastructure data management can help to mitigate them. Critical infrastructure data in the form of log files from corporate firewalls, VPN concentrators, web proxies, IDS systems, email servers, operating systems, enterprise applications and backup systems provide such insight into the use of corporate assets, risks and IT performance. With greater insight to log data, administrators can improve IT health and gain the speed and agility necessary to respond to security and performance risks, before they happen. The question remains: How do you harness the power of your logs to achieve these goals and protect information assets?
The need for automation
Today it is unrealistic to believe that a homegrown script is sufficient for risk management. Global 2000 organizations generate more than ten thousand log data messages per second -- the equivalent of two terabytes of data per month. All of that information is needed to establish an audit trail for policy validation and compliance testing, not just warning messages and alarms. Therefore it’s essential to collect all of the data from all local and remote devices and store it in a central repository.
Clinging to outdated methods of data management for volumes of data such as this is a waste of time and money. Homegrown scripts and many SIEM solutions require a high degree of technical expertise to deploy and maintain, and can be tedious and time consuming to use. They must be updated constantly with new business rules, and staff must be dedicated to this function. Plus, scripts are reactive because they are executed after the fact, and they provide few monitoring capabilities to help administrators prevent problems.
Furthermore, shrinking IT budgets limit the technical personnel available to develop and maintain the scripts, let alone execute them at the time of an incident. This makes it extremely difficult to pinpoint problems or find specific data. Imagine having to sift through that much information with a grep script under the pressure of knowing a security risk is jeopardizing corporate assets as you search for the problem.
The risk is high. IT departments spend about 175 hours on remediation after a security incident, and costs can reach as high as $20 million per incident. Corporations lose money from brand damage and waning customer trust. IP leakage, such as shared trade secrets or pre-announced products can further add to those costs.
What about compliance?
In addition to risk mitigation, compliance has become a major area of focus in IT departments of all sizes, across all industries. Medical companies wrestle with HIPAA requirements as financial institutions race to meet Basel II mandates, and nearly every company struggles with SOX. According to Gartner, the average company spends $2 million annually on SOX compliance activities alone, and Accenture says the average bank will spend $61 million on Basel II over the next couple of years.
Access and other IT controls have therefore become mandatory. Information security underpins all regulatory compliance activities, not only by financial institutions, but by pharmaceutical and health care organizations, as well as large and small companies across most industries. Unauthorized access and changes must be prevented, and companies must prove they have the processes in place to control them.
Frameworks like COBIT (the IT Governance Institute’s IT audit framework used to help achieve SOX compliance and ensure security and availability of IT assets) recommends four key areas of risk management:
1. Plan and organize: Companies should identify strategies and tactics for how IT can best contribute to achieving business objectives.
2. Acquire and implement: Companies should identify, develop or acquire IT solutions and integrate them into the business process.
3. Delivery and support: Companies must have a process in place concerning the actual delivery of required services, which includes service delivery, security and continuity management, data and operational facilities management, and service support for users.
4. Monitor and evaluate: Companies should regularly assess IT processes for quality and compliance with control requirements, including performance management, internal control monitoring, regulatory compliance and governance.
Within the context of compliance, the ability to use data logs to monitor various network functions is critical to addressing these four areas. Companies must not only be able to prevent unauthorized access but to quickly detect and pinpoint breeches as soon as they occur.
Using log data, administrators can monitor and track:
- Authentication, authorization, access, and changes to programs and data.
- E-mail communications, web activity, and VPN connections.
- Policy updates, configuration changes, and privilege escalations.
- Intrusion patterns, root-cause, and forensic analysis on incidents.
- Infrastructure performance and availability issues that may require attention.
- Disaster recovery testing, including information on successful or failed backups.
Knowing who is accessing the network, what they’re accessing, when it happened, and whether anything was modified, enables better risk mitigation and problem remediation, while creating the audit trail that is becoming so essential for regulatory compliance.
Deploying an LMI platform
Intelligent log management must go beyond the capabilities of SIEM and homegrown scripts to provide a broader range of user features and functionality. Such a solution can reduce the costs of compliance and risk mitigation through automated collection, aggregation and retention of infrastructure data; simplified reporting and management; and more reliable risk mitigation. These features make such data easier to retrieve and organize for auditors, and the fact that the data is complete and unaltered ensures the audit trail will be there when an investigation begins.
A sound log management solution must be able to rapidly and automatically alert administrators to potential threat. This is accomplished with automated alerting capabilities that are based on pre-set thresholds for behavior by device, device group or network, allowing administrators to monitor log data in real time and receive early warning of insider misuse or unusual behavior. Adaptive baseline alerts, network policy alerts and ratio-based alerts can all be used. Administrators must also be able to search quickly though large volumes of data to pinpoint problems for fast remediation.
Meanwhile, reliable, secure storage is essential. Data must be stored in its unaltered format to ensure credibility in compliance and legal investigations. Meta-logs should be separate from these stored logs and accessible in real-time for analysis. Being able to access and report on information about past network activity is also a must, because it aids in system recovery after security or performance incidents, and searching through data at a highly granular level can accelerate problem resolution significantly.
Companies must be able to create both ad-hoc and standardized reports for auditors that prove compliance with regulations, policies and controls. To do so, reliable archives must be created and maintained to enable a complete audit trail of all user activity and access. Historical and trend analysis will be essential for meeting regulations, while real-time access and monitoring will help ward off risk of attack, system downtime, information leakage or application misuse that can compromise data integrity and ultimately impair business operations.
It’s easy to see how companies can benefit from intelligent management of infrastructure data. There are numerous examples where administrators have used log management to ward off malicious attacks and worms, put an end to application misuse and abuse, or prove compliance with regulations more efficiently and effectively.
Recently, a large educational organization experienced the power of log data management as a way to ward off an attack. A malicious worm threatened to infiltrate the network and wreak havoc across campus computers. Because they had installed a log management solution that provided the essential insight into infrastructure data, they were able to perform a simple search and locate the occurrence of the IP address that the worm was using as a way to infect systems within the organization’s network. Administrators were able to block the worm before it caused damage.
Not very long ago, a major hospital that uses log management to expedite data analysis across its infrastructure, switched from a CIC Oracle database to a log management and intelligence solution. Directly as a result of this change, the organization reduced the time it takes to analyze logs from roughly 200 minutes to less than 10, cutting costs significantly and the time it takes to remediate a problem.
An independent community bank recently deployed a log management and intelligence solution with real-time statistical anomaly alerting and root-cause analysis capabilities. The institution gained real-time visibility into infrastructure data and was able to create a secure audit trail to simplify compliance activities, thereby reducing costs and improving productivity.
Log management: The key to protecting your assets
Numerous factors have contributed to the emergence of log data management and intelligence as an industry, including the need for IT controls across the enterprise to manage risk and meet regulatory requirements. Compliance mandates are forcing companies to examine their business processes while inspiring the push for technologies that increase visibility into those processes. As such, companies have the opportunity to improve the way they do business and achieve a new level of operational efficiency.
The key to harnessing the power of infrastructure data lies in intelligent log management. With an effective log management solution, CIOs and IT organizations can gain the visibility required to properly monitor their networks and effectively respond to security, availability, and performance issues. Homegrown scripts and SIEM products of the past are completely inadequate in terms of handling today’s compliance related tasks, mainly because they force companies to be reactive rather than proactive in managing risk. Only with automated collection, aggregation, storage and management of logs from all applications and systems within the corporate network will companies truly protect their information assets and meet the risk mitigation and compliance requirements of today.
About the Author:
Dominique Levin is the Vice President of Business Development for LogLogic. She can be reached at dlevin@loglogic.com.
Go Back
|
