Cyber SecurityYou need sharper Cyber Security against stealth attacksVisibility is even more crucial in the face of advanced cyber security threatsA single command and control view for enterprise securityTo provide an enterprise-wide perspective of risk and compliance, an effective securitysolution must provide a single command and control view. It must also identify newthreats and new avenues by which they infiltrate organizations. The last couple of yearshave seen a shift from random attacks on many targets to fewer attacks on quite specifictargets. Often these take the form of Advanced Persistent Threats (APT), which use acombination of spear-phishing, custom Trojans and beaconing.It’s therefore crucial for effective enterprise cyber security to • Be horizontally and vertically scalable; • Have the capacity to collect all of the vital data all of the time; • Be proactive, not reactive, and allow for real time interpretation of all events; • Bridge all security information silos so that blind spots are eliminated; • Provide for multi-dimensional and Dynamic Behavioral Analysis; • Facilitate external data enrichment, i.e. correlating with external data stores to validate and enrich alerts (Vulnerability assessment, IAM, CMDB etc). One more point is that business users should have access to security information that highlights their risk status and the integrity of their systems and datasets. The productivity improvements from these capabilities alone can pay for the deployment of intelligent and more effective security management systems. There is a prerequisite, however: improved communications between IT security and business unit managers.
‘Business executives spend a lot of time talking about the importance of security,’George V. Hulme writes in CSO magazine, ‘while information security officers spend a lotof time talking about how the business side really doesnt understand security.’ 1 ITsecurity people feel they’re often brought into discussions about new projects too late,while business managers tend to see IT security staff as sticks-in-the-mud who opposeall new initiatives and projects. These are different kinds of silos, and they too need tobe bridged.Proof of conceptThe final point I want to make is that your security investment must suit your specificpurpose, so you shouldn’t hesitate to ask the shortlisted vendor for a trial using your livedata and security infrastructure. This will take extra time, but bear in mind that it’ll mostlikely take a year or so before your SIEM begins delivering what you bought it for, so atrial like this is more than worthwhile to ensure that the vendor can deliver on hispromises.Be prepared to probe deeply into the trial results though, to ensure that the systemaddresses your specific needs. Even simple security appliances can impress with theamount of silo-based data they produce but, while they readily generate simple,standard reports, these can’t be integrated with other silo-based information. In reality,they will add little to your security effectiveness.SummaryIt pays to make sure that you invest in an integrated SIEM solution that provides theessential tools and intelligence to provide the right level of cyber security for yourorganisation. Try before you buy is also a smart move.IT security systems – the big impossible?Cutting funds can cancel out IT compliance
The cost of IT compliance is a lot lower than non-compliance by the time you add updata loss, fines and loss of reputation.The importance of IT compliance and the cost of non-complianceThe cost of IT security vs the cost of data breaches and non-complianceThe Cost of IT securityThe value of strong IT security lies in preventing events that can damage your brand oryour organisation. Compared to other IT investments, IT security spending is prettymodest. Analyst firm Computer Economics estimates that most organizations spend lessthan 2% of their IT budgets on security, but adds that it can be as high as 5% inorganisations where system availability, data integrity, and confidentiality are crucial.Given those limited funds, possibly more limited since the GFC, you want to make sureyou spend them wisely. You want the best performance for your security dollar, alongwith the lowest implementation and maintenance costs (since you most likely havelimited people resources as well). You want to make sure the big exposures are covered,and you want to avoid wasting any of your limited funds.Let’s look at an example: Security event log collection and management is essential forcompliance with regulations such as Sarbanes-Oxley, GPG13, ISO 27000 and PCI DSS.Business traffic and data volumes are ballooning, however, and we’ve talked to manyorganizations whose log management systems can’t handle the increasing load. (ManySIEM platforms struggle to handle 10,000-15,000 events per second). What looked likean economical solution has turned out to be a waste of money because • Logs will be incomplete, which will be discovered during audits • Incomplete logs make accurate forensic replays impossible • The SIEM system that relies on complete log collection is compromised also or even ‘rendered unusable, not unlike a denial of service (DOS) [scenario].’
As with other IT investments, you need systems that can grow with you and scale upeasily to meet increased demand.The cost of data breaches and non-complianceThe value of critical company IP or sensitive client data is easier to estimate than thevalue of collecting complete event logs. When Ford product engineer Xiang Dong "Mike"Yu was accused of stealing automotive design specs for the Beijing AutomotiveCompany, experts said they were worth some $50 million.The cost are even more obvious, and often more public, where fines are involved. In2010, the UK’s Financial Services Authority fined Zurich Insurance (UK) £2,750,000 for‘failing to take reasonable care to ensure it had effective systems and controls to managethe risks relating to the security of customer data.’ The compliance breach involved thedata of some 46,000 policyholders.For companies generating large amounts of revenue online, data breaches can stoprevenue flows dead in their tracks as was the case with Sony’s Playstation Network. Thatpart of the Sony saga cost the company $170 million just in lost revenue. Disruption tobusiness can extend over many months, of course, as lawsuits have to be settled withcustomers, with banks, with credit card issuers, and sometimes with state attorneys.Back in 2007, Massachusetts-based retailer TJX lost some 45 million credit card numbersto hackers over a period of time. The total cost to TJX was estimated at $4.5 billion,based on a cost of $100 per record breached. These days, the average cost of a databreach is more than $200 per record, according to the Ponemon Institute, and theaverage cost of significant data breaches reported in Australia now exceeds $2 million.SummaryYou can buy a lot of IT security for a lot less than the cost of data loss, penalties and lackof IT compliance. Ponemon Institute that IT compliance cost some $3.5 million perannum while non-compliance cost others $9.4 million.