May EventSource Newsletter
Have your cake and eat it too- improve IT security, comply with multiple regulations while reducing operational costs and saving money
Headlines don’t lie. The number and severity of security breaches suffered by companies has consistently increased over the past couple of years and statistics show that 9 out of 10 businesses will suffer an attack on their corporate network in 2009. At the same time, there is growing pressure to comply with regulations and standards such as PCI-DSS, HIPAA and Sarbanes-Oxley, non-compliance of which can result in large fines and cause costly long-term damage to corporate reputations. However, in the midst of an economic recession when companies are tightening their belts, reducing headcount and scrutinizing project costs, it is getting difficult for IT professionals to get the funding they need to meet their goals. The silver lining is that SIEM solutions allow you to reduce security risks, comply with multiple regulations all the while helping you save money – a win-win situation in the current environment.
The new IT landscape
From inside theft to highly-targeted malware and zero-day attacks, Cyber crime is evolving rapidly and what was secure last year is not necessarily secure this year. With the proliferation of mobile devices, the new avenues for data theft are plenty – USB thumb drives, PDAs and iPods are easy to conceal and copying confidential data onto these devices often takes just a couple of minutes. And with corporate networks accommodating not just employees, but also outside contractors and third-party providers across multiple locations, the risk is real, serious and extremely hard to minimize without clamping down on productivity.
On the other hand, cyber crime has evolved from a hobbyist occupation to a multi-billion dollar industry. Organized profit-driven groups use automated processes and highly targeted attacks to infiltrate networks in very little time and surreptitiously siphon off enterprise data. Certainly the threat to critical IT assets is only increasing in volume and sophistication. And with the global meltdown, the impetus behind data theft has grown multifold – From both disgruntled ex-employees who have been victims of layoffs, to desperate people willing to take desperate measures for financial gain. With the capabilities of IT departments being pushed to their limits, the recession has led to a perfect storm in the world of IT security, and criminals are taking advantage of this storm to attack. It is no longer a question of if but when and how – when will an attack occur and how costly will it be.
While dealing with this widening threat landscape, IT departments are still tasked with maintaining compliance with regulatory standards and government stipulations that are often vague and difficult to translate into implementation guidelines. Non-compliance is not an option since the potential for costly repercussions, whether in the form of fines, lawsuits, litigation or corporate reputation damage, is high.
So the challenge for IT lays in managing multiple requirements in the face of budget cuts, increasing layoffs and shrinking resources. As companies scrutinize every investment, fear factor arguments for funding security projects are waning because of a number of reasons including:
- “We have not been attacked so far, therefore we must be immune” syndrome
- Absence of a widespread, debilitating (9/11 style) malware attack
- Absence of hard figures on the economic impact of a security breach
- Measuring ROI on security investments is difficult to do because it is based on a company’s tolerance for risk, the money “saved” is intangible.
- It can be difficult to prove that the organization would have been attacked without the solution in place.
It is no wonder then that compliance remains the main driver for many security solutions. However, because of the recession, compliance projects are facing increased competition from other business and revenue generating initiatives. So while companies understand that compliance is mandatory, a security professional may only get 30% of the funding requested. This gives rise to 2 challenges:
- Minimizing the cost of compliance
- Justifying expense
And the best way to minimize cost and justify funding is by demonstrating that that the solution in question will address multiple requirements, outside the limited scope of regulatory compliance, and provide a clear and tangible ROI.
The pressure is on to do more with less
The good news is that SIEM solutions like EventTracker can help you do just that – meet multiple requirements spanning compliance and security while providing tangible, demonstrable operational cost-savings. Benefits include:
- In-depth protection of critical IT assets from both internal and external breaches
- Compliance with multiple regulatory frameworks including Sarbanes-Oxley, HIPAA, PCI-DSS, FISMA, GLBA and more, as well support for evolving mandates
- Cost-savings in the form of reduced dependence on existing resources, optimized operations, improved system availability and quick resolution of issues before they escalate into costly disruptions.
SIEM for Security
A comprehensive SIEM solution like EventTracker allows you to:
- Detect and prevent damage from Zero-Day and other new forms of attack vectors
- Monitor user activity and USB device usage for unauthorized internal access to sensitive data
- Monitor networks for suspicious activity that often precedes a security breach
- Create customized correlation rules to detect common and critical security conditions in real-time.
- React quickly and early to suspicious activity with instant alerts and automatic remediation for proactive prevention
- Research the sequence of events that led to an attack and test your security improvements by playing back a saved event sequence.
SIEM for Compliance
SIEM solutions help you wade through the vague guidelines of compliance requirements with predefined reports mapped to specific regulatory requirements. A comprehensive SIEM solution will help you:
- Automate the entire compliance process from securing your environment, establishing baselines, tracking user activity, alerting to potential violations to creating audit-ready reports
- Demonstrate to auditors that periodic reviews are being conducted in compliance with internal and external policies
- Comply with a variety of regulatory standards spanning multiple verticals
SIEM for Operations
SIEM solutions enable you to increase IT efficiency and decrease the total cost of ownership by:
- Automating routine tasks and decreasing dependence on existing resources
- Optimizing operations by monitoring, alerting and reporting on disk space trends, CPU usage trends, runaway processes, high-memory usage, service downtime
- Enabling IT staff to quickly diagnose issues before they excalate into costly disruptions
- Accelerating troubleshooting and simplifying forensic investigations
SIEM solutions such as EventTracker provide a fast and demonstrable ROI within 8-9 months and help you save on average $100 per server per month in ongoing maintenance and operational costs.
Selecting the right SIEM solution
Now that you are able to justify funding for a SIEM solution, the next step is to identify the right SIEM solution for your environment. This is no easy task because of 2 reasons. Firstly, there is a large number of products available and vendors have done a great job of making their products sound roughly the same in core features such as correlation, reporting, collection, etc. and secondly, vendors are too busy differentiating themselves on features that in many cases have little or nothing to do with core functionality.
The reality is that SIEM solutions are typically optimized for different use-cases and you need to find a solution that will best meet you own needs. To help define your requirements and determine the best solution for your organization, you should answer the following questions:
- What is the easiest way to automate the collection of events?
- How can I store all that data securely and efficiently so it is still accessible?
- How can I gain actionable intelligence from all that data in real-time?
- How do I generate reports out of consolidated data?
- Can the solution handle my unique requirements without expensive customization?
- How long will it take me to get a solution up and running, and what are my ongoing costs?
- Which offering has the broadest feature set to maximize my investment
A comprehensive SIEM solution should automate the secure collection and consolidation of all enterprise events to a central point and make them readily available to IT personnel for analysis. The architecture needs to be scalable and highly configurable while still being easy to install and quick to implement. It should provide an efficient, secure, tamper-proof event archive for reporting and compliance requirements, a powerful real-time correlation engine that operates on the event stream, and a reporting and analytics engine for ad-hoc and scheduled querying.
Make sure the solution can receive and process logs from all platforms and sources in your network including Syslog, Syslog NG, SNMP V1/V2, Windows, Solaris BSM, IIS, Exchange, Oracle, SQL Server and has the capability to monitor system thresholds such as CPU, disk usage and memory, as well as USB devices. Look for a solution where the agents can be centrally configured, managed and distributed and can perform sophisticated filtering of the event logs prior to transmission to the central collection point, so if reduction of the event stream is possible, it can be easily accomplished.
A good SIEM solution should allow you to access the data in the way that fits your organizational structure. You may want a single central console which includes a UI for administration, configuration and event viewing, reporting and analysis. Or support for multiple, distributed consoles. Or a role-based web interface integrated with Active Directory for single sign-on support.
For larger organizations that have multiple sites or are organized into multiple units within the same site, it may be necessary for all of the event log data to be consolidated and archived in a single place for compliance purposes, with the correlation and day to day management the responsibility of different, distinct IT groups.
Think about how events are stored – with millions of events generated daily, a database can be an expensive and slow medium for archiving data. Storing even a small time period of event data can require a huge database, a big database server machine and additional expensive database licenses. Databases are also not guaranteed secured storage. Look for a SIEM solution that can archive the original log in a compressed and secured archive optimized for the write-once/read many times nature of event log information.
A robust correlation and analytics engine is critical to ongoing security efforts and enables powerful real-time monitoring and rules-based alerting on the event stream. Rules can watch for multiple, seemingly minor unrelated events occurring on multiple systems across time that together represent clear indications of an impending system problem or security breach. Detecting these problems in real-time prevents or minimizes costly impact on the business.
Integrated change monitoring and configuration control allows you to monitor and manage changes that occur on the Windows file system and registry – often the only clue IT staff have of Zero-day and malware attacks or installation of unauthorized or unsupported software. By quickly identifying those hard to find changes you will enhance security, reduce system downtime, and lower overall IT costs.
A powerful report wizard enables you to create and generate meaningful reports either on an ad-hoc or schedule reports to be regularly generated on the off-hours and distributed to subscriber lists. Look for flexibility in report delivery such as in PDF, CSV or DOC format and delivered via email or RSS feed. In addition, you should be able to research the sequence of events that led to an attack or security breach and test your security improvements by playing back a saved event sequence.
Finally, evaluate solutions for long-term value rather than initial price. A vendor might offer you a great price that fits your budget initially but what happens when your IT infrastructure grows? How will licensing scale when your log volume increases beyond solution capacity? Look also for hidden costs in terms of separate modules, compliance packs, storage, training and support. The last thing you need is unexpected costs that you never accounted for.
The bottom line
Limited-scope solutions may be beneficial for extremely specific requirements, but in the current economy, the investment required for such solutions is often hard to justify. Also, procuring a number of solutions to meet a variety of disparate requirements can prove a burden on shrinking staff and existing resources. In order to maximize spend, companies must purchase products that provide a wide range of functionalities that address multiple areas. SIEM solutions such as EventTracker not only provide broad capabilities that can be applied across the compliance and security use cases but also help you save hard-dollars on operational costs.
EventTracker gets 5 star review from SC Magazine
“EventTracker is a robust security information and event log management (SIEM) tool that has a lot of useful features”
SMBs often hit hardest by botnets
A small or midsize business (SMB) is ultimately a more attractive target for spammers, botnet operators, and other attackers than a home user mainly because it has a treasure trove of valuable data without the sufficient IT and security resources to protect it.
Did you know? Granular licensing, predictable pricing and modest resource requirements allow SMB’s to take advantage of EventTracker’s advanced security, regulatory and operational monitoring capabilities without breaking the bank.
UC Berkeley says hacker broke into health services databases
The University of California at Berkeley Friday disclosed that hackers broke into restricted computer databases in the campus health-services center, as the university began notifying current and former Berkeley students their personal information may have been taken.
Did you know? EventTracker offers complete coverage from the server to the workstation and USB level, real-time correlation and alerting, to ensure that IT personnel are instantly notified of any suspicious activity before costly damage is caused.