Failed your security audit? Recover with a 5 step checklist

December EventSource Newsletter
By Mike Rothman, author of the Pragmatic CSO and Security Mike’s Guide to Internet Security

Buying a Pragmatic Log Management Solution

Over the past 4 months, we’ve discussed many of the reasons that log management is critical. To quickly review, log management can help you react faster from an operational aspect – so you can pinpoint an incident and remediate any issues well ahead of a significant loss. Secondly, log management helps in the event of an incident in terms of having rock-solid evidence to investigate a breach and hopefully bring the perpetrator to justice. Finally, log management also gathers data and can present it in a way to facilitate your compliance efforts. That is all good and well, but what do you do when you decide it’s time to buy a solution? Do you just go down to your local computer superstore and pick up a log management platform off of the shelf? Right, probably not. Moreover, you are the shepherd of corporate assets, so you need to buy in the most cost effective and efficient manner possible, while ensuring you meet the requirements of your company. I’ve been working with organizations of all sizes for the better part of the past 15 years on more effectively buying products. I’ve distilled that knowledge into a specific buying process for all security products and it definitely applies to log management as well. It’s really focused on making sure you are in control of the purchase process, ensuring that what you are buying will solve your BUSINESS problem. Here is the 8 Step Security Incite Buying Security Products (BSP) process:

  • Step 1: Clean Your Own House – It’s your responsibility, as the buyer, to know what you need to buy and why you are buying it. Vendors will try to create a buying catalyst when they contact you, but that is like pushing on a string. To buy something correctly, you’ve got to have a budget and an approved project AHEAD of time.
  • Step 2: Assemble the “Team” – If you are lucky enough to have resources, you want to assemble a team to drive the project. You’ll need a leader (someone who ultimately accepts accountability for the success of the project) and probably a technical team to do the actual evaluation.
  • Step 3: Educate – An educated buyer is the best buyer (whether the vendors admit this or not). So this step in the process is to give you (and maybe your project team) a broad understanding of the problem you are trying to solve and some best practices for how to solve it. The objective is not to learn 100% of what you need to know, which would take too long. It’s to get to maybe 75% knowledge and a pretty good understanding of what you don’t know.
  • Step 4: Engage – At this point, you know what you need to buy and you have a good understanding of the industry, so you can now approach vendors and/or resellers to start the actual procurement process. As we dive down into Step 4, a major topic will be developing the long list. This is where you also consider doing a formal RFI/RFP process, if your organization requires that kind of documentation.
  • Step 5: The Bake-off – Depending on the amount of lab resources (and the criticality of the project), you’ll want to test a few of the products on the long list. Probably not all of them, but more than two. I know, resources are precious, why test more than two? Well, you’ll have to wait for Step 5 to learn that.
  • Step 6: The Short-list – Most people think the short list is determined before the bake-off. Well, think again. Vendors make the short list if the lab evaluation shows that their product will meet your requirements and solve your business problem. Again, you want to have at least 2 vendors on the short list at this point, and then you can have some fun.
  • Step 7: Negotiation – Ah, my favorite part of the whole process. If you’ve done the job right, you have at least two vendors that can get the job done, so now you pit them against each other and watch the fireworks. Artfully done, you can save 50% off the initial bids because at this point, the vendors have invested enough in the deal that they don’t want to lose.
  • Step 8: Selection – As much fun as it is to see two (or more) vendors locked in a death struggle, eventually you’ll need to make a decision. With the correct process in place, the selection is easy. You’ll feel very good about one of the vendors and you’ll get the deal done. The other vendor(s) will be disappointed at the end of the process, but that’s life in the big city. As long as YOU feel good about the purchase, you’ve done your job.

So what is different for log management? Not much. You want to understand your problem and drivers. You want to learn about the market (which is probably why you are reading this in the first place). And then you want to figure out who can solve your problem. Those steps are pretty universal. The reality is the log management market is very crowded and it’s only going to get more crowded. I read about new vendors entering the space almost every week. But remember, you are buying quality, not quantity. Your objective is to find a number of providers that can meet your needs, then taking a look and finding out if the product/service will work in YOUR environment. That’s what the evaluation is for.  Then you get to your short list and you start to negotiate. It’s pretty straight forward at that point. You know which products will meet the need, and then it’s about picking the best fit from a company and economic standpoint. Depending on your requirements, price may be a more significant driver or maybe deployment services or flexibility. There is no generic “right” answer; it’s about meeting the needs of your organization.

A lot of folks let the procurement process get away from them. Using the BSP process you can stay in control and buy the best log management solution for the best price from a vendor that is going to keep you delighted. The process has been built to make sure that’s the case.

Featured Whitepaper

10 reasons why EventTracker is your best choice for an event log management solution

Industry News

2007 Security by the numbers

 Phishing, spam, bot networks, trojans, adware, spyware, zero-day threats, data theft, identity theft, credit card fraud… cybercrime isn’t just becoming more prevalent, it’s getting more sophisticated and subtle every day. At least that’s the conclusion suggested by recent threat reports from major industry players and government organizations.

TJX settles with banks for $41 million

More than 100 million account records were breached, retail giant reveals.TJX Companies has reached an agreement with Visa USA by which it will establish a $40.9 million fund for banks whose credit cards were exposed in the retailer’s mammoth security breach earlier this year. The settlement is TJX’s second in a series of lawsuits arising from the breach, in which years of credit card records were exposed.

The human element in IT security

In the last six months in the U.S., nearly 40 percent of firms surveyed by the Computing Technology Industry Association reported a major IT security breach. How many of these could have been prevented by considering the human element in the workplace?

So you failed a security audit, now what?

Learn why you failed and how to recover with this 5-step checklist