NewslettersRelated Resources
EventSource May 2009 – EventTracker gets 5 star review; 100 log management uses and more
Featured Article Have your cake and eat it too- improve IT security, comply with multiple regulations while reducing operational costs and saving money Headlines don’t lie. The number and severity of security breaches suffered by companies has consistently increased over the past couple of years and statistics show that 9 out of 10 businesses will suffer an attack on their corporate network in 2009. At the same time, there is growing pressure to comply with regulations and standards such as PCI-DSS, HIPAA and Sarbanes-Oxley, non-compliance of which can result in large fines and cause costly long-term damage to corporate reputations. However, in the midst of an economic recession when companies are tightening their belts, reducing headcount and scrutinizing project costs, it is getting difficult for IT professionals to get the funding they need to meet their goals. The silver lining is that SIEM solutions allow you to reduce security risks, comply with multiple regulations all the while helping you save money – a win-win situation in the current environment. The new IT landscape From inside theft to highly-targeted malware and zero-day attacks, Cyber crime is evolving rapidly and what was secure last year is not necessarily secure this year. With the proliferation of mobile devices, the new avenues for data theft are plenty - USB thumb drives, PDAs and iPods are easy to conceal and copying confidential data onto these devices often takes just a couple of minutes. And with corporate networks accommodating not just employees, but also outside contractors and third-party providers across multiple locations, the risk is real, serious and extremely hard to minimize without clamping down on productivity. On the other hand, cyber crime has evolved from a hobbyist occupation to a multi-billion dollar industry. Organized profit-driven groups use automated processes and highly targeted attacks to infiltrate networks in very little time and surreptitiously siphon off enterprise data. Certainly the threat to critical IT assets is only increasing in volume and sophistication. And with the global meltdown, the impetus behind data theft has grown multifold - From both disgruntled ex-employees who have been victims of layoffs, to desperate people willing to take desperate measures for financial gain. With the capabilities of IT departments being pushed to their limits, the recession has led to a perfect storm in the world of IT security, and criminals are taking advantage of this storm to attack. It is no longer a question of if but when and how – when will an attack occur and how costly will it be. While dealing with this widening threat landscape, IT departments are still tasked with maintaining compliance with regulatory standards and government stipulations that are often vague and difficult to translate into implementation guidelines. Non-compliance is not an option since the potential for costly repercussions, whether in the form of fines, lawsuits, litigation or corporate reputation damage, is high. The challenge So the challenge for IT lays in managing multiple requirements in the face of budget cuts, increasing layoffs and shrinking resources. As companies scrutinize every investment, fear factor arguments for funding security projects are waning because of a number of reasons including:
It is no wonder then that compliance remains the main driver for many security solutions. However, because of the recession, compliance projects are facing increased competition from other business and revenue generating initiatives. So while companies understand that compliance is mandatory, a security professional may only get 30% of the funding requested. This gives rise to 2 challenges:
And the best way to minimize cost and justify funding is by demonstrating that that the solution in question will address multiple requirements, outside the limited scope of regulatory compliance, and provide a clear and tangible ROI. The pressure is on to do more with less The solution The good news is that SIEM solutions like EventTracker can help you do just that – meet multiple requirements spanning compliance and security while providing tangible, demonstrable operational cost-savings. Benefits include:
SIEM for Security A comprehensive SIEM solution like EventTracker allows you to:
SIEM for Compliance SIEM solutions help you wade through the vague guidelines of compliance requirements with predefined reports mapped to specific regulatory requirements. A comprehensive SIEM solution will help you:
SIEM for Operations SIEM solutions enable you to increase IT efficiency and decrease the total cost of ownership by:
SIEM solutions such as EventTracker provide a fast and demonstrable ROI within 8-9 months and help you save on average $100 per server per month in ongoing maintenance and operational costs. Selecting the right SIEM solution Now that you are able to justify funding for a SIEM solution, the next step is to identify the right SIEM solution for your environment. This is no easy task because of 2 reasons. Firstly, there is a large number of products available and vendors have done a great job of making their products sound roughly the same in core features such as correlation, reporting, collection, etc. and secondly, vendors are too busy differentiating themselves on features that in many cases have little or nothing to do with core functionality. The reality is that SIEM solutions are typically optimized for different use-cases and you need to find a solution that will best meet you own needs. To help define your requirements and determine the best solution for your organization, you should answer the following questions:
A comprehensive SIEM solution should automate the secure collection and consolidation of all enterprise events to a central point and make them readily available to IT personnel for analysis. The architecture needs to be scalable and highly configurable while still being easy to install and quick to implement. It should provide an efficient, secure, tamper-proof event archive for reporting and compliance requirements, a powerful real-time correlation engine that operates on the event stream, and a reporting and analytics engine for ad-hoc and scheduled querying. Make sure the solution can receive and process logs from all platforms and sources in your network including Syslog, Syslog NG, SNMP V1/V2, Windows, Solaris BSM, IIS, Exchange, Oracle, SQL Server and has the capability to monitor system thresholds such as CPU, disk usage and memory, as well as USB devices. Look for a solution where the agents can be centrally configured, managed and distributed and can perform sophisticated filtering of the event logs prior to transmission to the central collection point, so if reduction of the event stream is possible, it can be easily accomplished. A good SIEM solution should allow you to access the data in the way that fits your organizational structure. You may want a single central console which includes a UI for administration, configuration and event viewing, reporting and analysis. Or support for multiple, distributed consoles. Or a role-based web interface integrated with Active Directory for single sign-on support. For larger organizations that have multiple sites or are organized into multiple units within the same site, it may be necessary for all of the event log data to be consolidated and archived in a single place for compliance purposes, with the correlation and day to day management the responsibility of different, distinct IT groups. Think about how events are stored - with millions of events generated daily, a database can be an expensive and slow medium for archiving data. Storing even a small time period of event data can require a huge database, a big database server machine and additional expensive database licenses. Databases are also not guaranteed secured storage. Look for a SIEM solution that can archive the original log in a compressed and secured archive optimized for the write-once/read many times nature of event log information. A robust correlation and analytics engine is critical to ongoing security efforts and enables powerful real-time monitoring and rules-based alerting on the event stream. Rules can watch for multiple, seemingly minor unrelated events occurring on multiple systems across time that together represent clear indications of an impending system problem or security breach. Detecting these problems in real-time prevents or minimizes costly impact on the business. Integrated change monitoring and configuration control allows you to monitor and manage changes that occur on the Windows file system and registry – often the only clue IT staff have of Zero-day and malware attacks or installation of unauthorized or unsupported software. By quickly identifying those hard to find changes you will enhance security, reduce system downtime, and lower overall IT costs. A powerful report wizard enables you to create and generate meaningful reports either on an ad-hoc or schedule reports to be regularly generated on the off-hours and distributed to subscriber lists. Look for flexibility in report delivery such as in PDF, CSV or DOC format and delivered via email or RSS feed. In addition, you should be able to research the sequence of events that led to an attack or security breach and test your security improvements by playing back a saved event sequence. Finally, evaluate solutions for long-term value rather than initial price. A vendor might offer you a great price that fits your budget initially but what happens when your IT infrastructure grows? How will licensing scale when your log volume increases beyond solution capacity? Look also for hidden costs in terms of separate modules, compliance packs, storage, training and support. The last thing you need is unexpected costs that you never accounted for. The bottom line Limited-scope solutions may be beneficial for extremely specific requirements, but in the current economy, the investment required for such solutions is often hard to justify. Also, procuring a number of solutions to meet a variety of disparate requirements can prove a burden on shrinking staff and existing resources. In order to maximize spend, companies must purchase products that provide a wide range of functionalities that address multiple areas. SIEM solutions such as EventTracker not only provide broad capabilities that can be applied across the compliance and security use cases but also help you save hard-dollars on operational costs.
Industry News EventTracker gets 5 star review from SC Magazine “EventTracker is a robust security information and event log management (SIEM) tool that has a lot of useful features” SMBs often hit hardest by botnets A small or midsize business (SMB) is ultimately a more attractive target for spammers, botnet operators, and other attackers than a home user mainly because it has a treasure trove of valuable data without the sufficient IT and security resources to protect it.
UC Berkeley says hacker broke into health services databases The University of California at Berkeley Friday disclosed that hackers broke into restricted computer databases in the campus health-services center, as the university began notifying current and former Berkeley students their personal information may have been taken.
The standards are comprised of approximately 40 “good housekeeping” requirements designed to lay a solid foundation of sound security practices that, if properly implemented, will develop the capabilities needed to secure critical infrastructure from cyber security threats. Roughly half of those requirements were modified to clarify or strengthen the standards in this initial, expedited revisions phase
Featured webinar Top 10 best practices to stop insider threats
Insider theft and other malicious behavior are particularly difficult because employees often have legitimate access to sensitive corporate data and tend to know the weaknesses in the organization’s infrastructure. Over the course of hundreds of customer interactions, Prism Microsystems has developed best practices for monitoring potential insider abuse. Date: Wed, May 20, 2009 Time: 1:00 PM - 2:00 PM EDT Register NowLogTalk Get the latest insight on all things related to Log Management on the Prism Microsystems blog . Feel free to leave comments and share your thoughts.
Legal
|
© 2010 Prism Microsystems, Inc. • Privacy • Terms of Use