Compliance audit got you nervous? It doesn’t have to be that way

November EventSource Newsletter
By Mike Rothman, President, Security Incite and author of the Pragmatic CSO

Log Management and Compliance 

In past articles, I’ve covered how log management helps with operations and incident response, all in a distinctly “Pragmatic” way. This month we are going to address what I consider to be the 3rd leg of the stool – compliance.

Security professionals have a love/hate relationship with compliance. They love the fact that compliance is a board level issue and it has visibility within all parts of the organization. It has dramatically increased the perception of the value that security provides and has made getting funding for large-scale security projects much easier.

But then there is the audit. That one word – A-U-D-I-T, can strike fear into the heart of the oldest and most battle-weary security pro. They think to the classic torture scene in Marathon Man, where the bad guys use a dental drill. And it usually goes on for 3 days or more. Most security folks go into an audit in full battle regalia, spewing acrimony and expecting misery. I’m here to tell you that it doesn’t have to be that way.

The first thing you need to understand is that the auditor is after the same thing that you are, which is to protect the assets of the organization. I know it’s hard to believe, but they have your company’s best interests in mind when they put you through the ringer. They are responsible, so if a major issue happens and the auditors have missed it – THEY ARE LIABLE TOO. So don’t take it personally, they are trying to cover their hind sections like everyone else.

So what is the absolute best way to help the auditors feel good that your company’s stuff is protected? You need to give the auditor the feeling that you are in control. If you aren’t, then you better give the perception that you are. In most cases, especially with a subjective assessment, perception is reality.

In my book, The Pragmatic CSO, I go through how your audit should work. I’ll summarize that quickly. Since we are trying to set the perception that we are in control, we need to treat the auditor as a peer. You need to talk to them in business language. Show them how your security program works and what controls you have implemented. If you treat the auditor as the enemy or as a technical wonk, they’ll return the favor – and that’s not a good thing.

Be candid about any incidents you’ve had and what you did to both isolate the root cause of the attack, as well as make sure it doesn’t happen again. Also be sure to go over the changes you’ve made to your environment based on the findings of the last audit. You don’t want to forget to show the auditor that you actually listened the last time they spoke.

Notice I haven’t said the term log management yet. The real hope is that you don’t need to go into granular levels of details about firewall configs and the like. By seeing your security program, checking out your security architecture, and going through an incident post-mortem the auditors get that perception that you are in control. They may look at your other stuff, but at that point it’s the rubber stamp committee. They know you can do the job, so they are just verifying so they can fill out their checklist.
That’s the optimal case, and it does happen, but not every time. Sometimes the auditor will be “difficult.” They’ll want to see lots of data. They’ll want to see things for themselves. They don’t believe you. Don’t take this personally; the reality is some auditors are just like that. So you’ll want to be able to substantiate what you are doing and one of the best ways to do that is to pull data out of your log management platform.

Using data you are already gathering for operational and incident response, you can show what happened and what didn’t happen. Your log data can provide lots of detail about specific devices, databases and/or applications. You can also pull regulatory-specific reports showing who accessed what.

Since PCI is the most specific of the general security-oriented regulations, let’s see how log data you are collecting can meet a bunch of the PCI requirements.

  • Requirement 1 – Firewall: Your firewall logs can confirm configuration, as well as what activity has happened on the device.
  • Requirement 3 – Protect stored cardholder data: You can pull logs from applications and show that only authorized parties accessed the database with private information.
  • Requirement 5 – Use and update anti-virus: You can show, via logs, that AV is installed and updated on every device on the network.
  • Requirement 7 – Restrict access to cardholder data: Log data can show which requested sessions were NOT authorized, thus proving that you restrict access to the cardholder data.
  • Requirement 9 – Restrict physical access to data: Amazingly enough, you can also pull logs from your physical security system, which shows who entered the restricted facilities and when.
  • Requirement 10 – Track and monitor all access (this is the big one): This one requirement specifically calls for log management. As if you needed another reason to seriously consider more effectively managing your logs.

I’m sure in some way, shape or form the other requirements can also be substantiated with log data as well. But the point is, you can gather all this data, correlate it, reduce it and present it manually. That sounds like a lot of fun. Or you can put in place a log management platform to do a lot of this work, in a scalable, leveraged, and automated fashion. The choice is yours.

To be clear, acing an audit is about more than just gathering log data and being able to present it effectively. But in those instances where the auditor wants lots of data and excruciating detail, you’ll be glad you’ve been keeping those logs and now can actually use them.

4 Steps to Compliance

 Keep these steps in mind while putting together a compliance strategy.

Industry News

Visa quietly rolls out three year security compliance rules

After threatening all sorts of measures against those major firms that accept plastic payments but who fail to meet its PCI-DSS security requirements, Visa has quietly rolled out a new set of requirements for all companies – large and small – that accept cards.

Removable Devices: The menace within

Handheld USB devices have been a godsend to anyone who wants to take information from one PC to another, but their ease of use also has created a new type of security headache for companies.  

Randy Franklin Smith on EventTracker 6.0 Enhancements

“EventTracker now has one of the very best custom reporting facilities I’ve seen on the market.  With this new feature I can finally build the kinds of reports I’ve already designed for the Windows Security Log as part of my “Rosetta” project.  A common complaint I’ve had about canned and custom reports in most log management solutions is the program throws the whole, ugly event at you instead of just the elements that are important….”

Featured Success Story

EventTracker at San Bernardino County Superior Court

Cool Tools

New EventTracker Training Webinar Series

Prism Microsystems and the EventTracker Support Team announce a new Webinar series to help you get the most out of your EventTracker investment. Each Tuesday, beginning November 6, the EventTracker Support Team will present a brief 20-30 minute “how-to” focused on a specific function of EventTracker.