Your SlideShare is downloading. ×
GDS International - Next - Generation - Security - Summit - US - 4
GDS International - Next - Generation - Security - Summit - US - 4
GDS International - Next - Generation - Security - Summit - US - 4
GDS International - Next - Generation - Security - Summit - US - 4
GDS International - Next - Generation - Security - Summit - US - 4
GDS International - Next - Generation - Security - Summit - US - 4
GDS International - Next - Generation - Security - Summit - US - 4
GDS International - Next - Generation - Security - Summit - US - 4
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

GDS International - Next - Generation - Security - Summit - US - 4

207

Published on

5Reasons to Implement SIEM

5Reasons to Implement SIEM

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
207
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Five Steps to Everyday ComplianceCopyright © 2010 Trustwave Holdings, Inc. All rights reserved.
  • 2. IntroductionCompliance is not just an event to be prepared for whenever the auditor is on site. Instead, effectiveand efficient security practices should be in place to enable daily compliance. Everyday compliancestrengthens enterprise security and is more likely to prevent costly data breaches.Many believe that in the case of headline-grabbing data breaches the companies involved may verywell have been compliant with certain standards at a given point in time. But during the days, weeksor months leading up to such breaches, some policy was violated, some process overlooked or somesafeguard penetrated, costing the company and its customers millions of dollars.For compliance with any regulatory standard or internal policy to really protect the enterprise, there isno silver bullet. Instead, there are processes and practices that help protect businesses againsthackers, criminals and malicious insiders.Mission Critical: Information SecurityCritical information exists at the core of every business activity and initiative. Information security –the assurance of system availability, data confidentiality and integrity – is a primary concern forinformation security professionals and business managers alike. Security is at the top of the corporateagenda and at the heart of agency missions.Flaws in the security strategy negatively impact profitability and erode the corporate brand. In thecase of government agencies, it may put citizens in harm’s way, disrupt the availability of service orput the armed services at risk. On the other hand, a consistent, daily approach to compliance andadherence to best practice controls engenders confidence and trust. Such a sustainable securityinfrastructure ensures positive recognition for the security team, protects the annual security budgetand helps to justify necessary additions of security analysts and administrators.Many organizations seek to strike a balance between protecting information and enabling theorganization to achieve its mission. The security strategy must limit risk without negatively impactingbusiness effectiveness. This requires a deliberate and strategic security model developed in thecontext of business objectives.Internal policies and regulatory and industry standards provide guidelines to protect information andcompliance, and are ultimately meant to strengthen security. Unfortunately, some organizationschoose to do as little as possible and treat the audit or visit by the Auditor as the end game. The realwinners are the organizations that embrace both the spirit and law of the standards, embrace theopportunity to first and foremost ―be secure‖ and in doing so prove to be compliant.Defining Everyday ComplianceEveryday compliance is an affirmative approach to enforcing policy using best practice controls asdefined by the International Organization for Standardization (ISO), Control Objectives for Informationand related Technology (COBIT) or National Institute of Standards and Technology (NIST). The abilityto sustain a compliance environment involves changes in behavior across the IT organization. Itintroduces new processes and requires the adoption of technology to centralize the management oflogs and security events. This leads to greater efficiency of the security team, collaboration across IToperations and an increase in the effectiveness of security policies and controls. Copyright © 2010 Trustwave Holdings, Inc. All rights reserved.
  • 3. This paper covers five processes that will enable the ability gain optimal value for any complianceinitiative. By following these guidelines, businesses can begin to automate the tasks that are essentialto everyday compliance:  Automated monitoring and correlation of security logs and events is like adding ten sets of eyeballs to the security team.  Automated analysis of data sources which include the obvious security devices like firewalls but also include the ability to collect and make sense of other data like configuration changes, identity of users and the scope of their roles, monitored data from endpoint devices, and more.  Automated alerting and notification quickly makes sense of the logs and events focusing attention on the most critical events – saving time when every second counts.  Communication, enabled by a core set of essential reports, tells the story of how effective controls are to the security team, other IT staff, business leaders and management. For security to be everyone’s top priority there needs to be a way to communicate to everyone!  Communication, in the form of alerts, notify personnel when controls aren’t working and when the security infrastructure is standing strong.1. Define the Security Information ModelWho needs to secure what?The security model includes details about the network, identifies critical servers, lists key users anddefines information concept objects like ―credit cardholder database‖. Low-level objects in this modelare grouped into one or more ―systems,‖ and the dependency relationships between systems andstakeholders are documented and agreed upon by the stakeholders themselves. Often, much of thisinformation exists in various places within an organization. Bringing these heterogeneous data sourcestogether within a security model is extremely valuable.Creating a security model could be overwhelming if every asset was handled the same way. However,it’s not practical to secure everything homogeneously. In customizing tasks, the work done to create asecurity model provides an excellent foundation to help IT prioritize alerts, investigate cases andrespond to incidents.Most importantly, the creation of the model is the beginning of the conversation between IT andvarious stakeholders about how protection will be provided. Prioritizing information assets based onthe criticality of the information they contain is an important step. The enterprise picture of what toprotect and how to protect it enables IT security to appropriately prioritize information assets and todefine security controls for authorized users.Once the picture is complete, it becomes easier for stakeholders to participate in assessing risk andsecurity costs. IT uses the information in the model to align security policies, processes and controlsto determine the business impact of security failure. The quality of the model impacts the accuracy ofalert management and the efficiency of managing incidents.A simple example of asset grouping for a healthcare company managing HIPAA compliance: From apool of 400 Windows servers, only 42 servers process confidential patient information. These 42servers will be managed differently, they will have more rigorous authorization, and authenticationrequirements and security alerts involving these servers will be handled in a different way. Intrusionprevention tools, stronger network security and patches may be considered to reduce the impact ofvulnerabilities for this asset group. Copyright © 2010 Trustwave Holdings, Inc. All rights reserved.
  • 4. Fig.1.The generally accepted equation for assessing risk is threat + vulnerability + impact = risk, and is represented here asthe sum of three of the COBIT process areas (PA).2. Define Security Assurance LevelsHow much risk is the business willing to assume?Business stakeholders, assisted by compliance or risk officers, ultimately define a company’s tolerancefor risk and the policies that will be implemented to achieve regulatory compliance. IT security workswith business owners to translate policies into security controls, educating stakeholders about howcontrols will affect day-to-day activities. Together, they must determine which controls are realisticand sustainable. Most importantly, business owners and IT security must agree that the cost toprotect the information is commensurate with the impact on the business if security is breached.An effective approach many organizations use to engineer compliance is the assurance levelagreement (ALA), which is a service level agreement for security. The ALA enables IT security topresent non-technical end-users and business owners with a description of security controls as a set ofservices – in plain English and in the context of business transactions. IT security defines andimplements the controls and determines how effectiveness will be measured and reported to thebusiness.Many security organizations rely on the internationally accepted COBIT to develop ALAs. Auditorssometimes use COBIT, or some hybrid of COBIT, as a sort of compliance checklist indicating thepresence of controls required to enforce policy. The COBIT framework is a body of knowledgedescribing a methodology to achieve IT governance. The framework defines seven informationcriteria, which are used to generically define what the business requires from IT. Among these areconfidentiality, availability and integrity, the information criteria most closely associated withcompliance legislation.The framework also describes 34 process areas and maps them to information criteria in a matrix.Over 300 control objectives are mapped to the 34 process areas. The framework is valuable inpromoting process focus and ownership, and ensures that a business’s quality, fiduciary and securityobjectives are achieved. ALAs should reflect appropriate risk. Assessing risk varies from company tocompany, but a generally accepted formula is: threat + vulnerability + impact = risk.Implementing controls introduces changes that impact user behavior. The success of an ALA isdetermined both by user acceptance and the way in which IT implements it. IT security teams must Copyright © 2010 Trustwave Holdings, Inc. All rights reserved.
  • 5. align controls with a company’s tolerance for risk, one workgroup at a time. An effective ALA reflectsthe level of internal controls required to achieve the defined risk posture while staying in line withbusiness policy.Once the picture is complete, it becomes easier for stakeholders to participate in assessing risk andsecurity costs. IT uses the information in the model to align security policies, processes and controlsto determine the business impact of security failure. The quality of the model impacts the accuracy ofalert management and the efficiency of managing incidents.3. Communicate and EducateWhat happens if a control is violated?What happens if a control is violated? The model of ―communicate and educate‖ is a proven strategyfor introducing organizational change effectively. COBIT offers several control objectives specific tocommunication and education, including Educate and Train Users (DS7), Assist and Advise Customers(DS8), and Manage Problems and Incidents (DS10). Organizations that develop effectivecommunication plans, implement them, and provide frequent, ongoing education often see significantresults. Policy enforcement requires severe consequences for violators, which can impact income, jobsecurity and promotions. Users must have a vested interest in participating in these programs.Consistently applying these defined consequences reinforces behavior and demonstrates anorganizational commitment to enforcement. Defining behaviors and consequences and expectingchange are predicated on educating users about the importance of the controls.Progressive buy-in occurs when the stakeholder self-subscribes to the risk their business unit is willingto take. Since no manager will subscribe to risks they don’t understand, it is wise for the securityorganization to present at least two scenarios (a plan A and a plan B) along with likely outcomes, andlet the stakeholder choose. Of course, each plan has a hard cost associated with a predicted riskreduction. If the stakeholder chooses the less costly and less protective plan, the decision can bereviewed at the next iteration of this process, based on results.Allowing stakeholders to self-subscribe to the risks they are willing to take is fundamental toestablishing a partnership between IT security and stakeholders. If a security organization cannotassign clear accountability to specific stakeholders, IT security will, by default, become responsible.Effective bridge building between security organizations and stakeholders is primarily an exercise incommunication.4. Measure EffectivenessHow much security is enough?Security effectiveness is sometimes made public in the headlines of newspapers or as the lead storyon the nightly news – the kind of measurement companies want to avoid. But there are other, moreinformal types of measurement as well, including the day-to-day perception of stakeholders. Forexample, stakeholders may perceive that security is effective if they are able to perform work withoutinterruptions or oppressive restrictions. Conversely, stakeholders will perceive a lack of adequatesecurity if there are a high number of visible incidents that require public reporting and have painfulconsequences that endanger the brand, tarnish the business reputation, or even result in onerousfines. Copyright © 2010 Trustwave Holdings, Inc. All rights reserved.
  • 6. IT security is required to supplement informal security measurements with rigorous log files andsummarized detail reports that can then be used by management, auditors and operations todetermine:• Where the organization is now• Where it has come from• What is required to get it where it needs to beEducation is an inexpensive tactic. A large bank recently developed a series of webcasts on topicssuch as the importance of regularly changing passwords, steps to protect log-ins and passwords, andsuggestions for updating anti-virus for remote users. The webcast technology enabled theorganization to track user participation and report it to managers, placing accountability on thestakeholder. The number of unauthorized log-ins decreased dramatically.Fig. 2 This flow chart illustrates the process of assessing, on an ongoing basis, security capabilities relative to a specificindustry, relative to regulatory compliance and relative to where a company would like to be to minimize risk.Many auditors use control framework objectives as a guide to assess the maturity of securityprocesses. A passing grade may mean that a ‖best effort‖ was made to implement the process andthe organization is taking steps to implement the controls in a way that is ‖repeatable and likely toimprove over time‖; a failing grade may be the result of a required process not in place. The best wayto ensure that key processes are in place and are working is to measure associated controls in anorganized and consistent way – looking at results over time. Are results trending in the right direction?Security operations identify appropriate metrics, measurement frequency and measurement datarequired to improve security over time. In sustaining compliance, it is important to record and reviewwhat is happening operationally, both proactively and reactively.For organizations that want to sustain compliance between audits, consistent and sustainablereporting processes are important steps. Copyright © 2010 Trustwave Holdings, Inc. All rights reserved.
  • 7. Automating log monitoring and reporting is cost effective, productive, and incorporates reporting as a regularpart of the compliance process without adding a lot of cost. The number of hours required to manuallyprepare reports for audits is prohibitive and negatively impacts productivity. With automated reporting,security resources can be allocated to more important work. In addition, the margin for error resulting fromtedious review of device-specific logs is high. The real value is derived when data from one or more disparatelogs are correlated using event correlation capabilities. Automated reporting not only reduces the overall costof sustaining compliance but improves effectiveness as well.The long-term benefit of reporting, however, is using information provided to improve security bychanging or adding controls that increase effectiveness and reduce risk. The ability to measure andthen remediate control effectiveness is core to sustaining compliance.Finally, the information provided by an operational reporting solution must be accurate, reliable andsecure. IT security must be able to: • Have confidence in the data behind reports • Configure reports to get the information they need • Drill down from summarized detail to native files for further analysis • Securely store volumes of data over time for forensics, trending and legal defense5. Create a Process for Continuous ImprovementWhat happens next?Security experts believe that hackers will achieve their goal without detection. Perimeter security,while an important component of enterprise security, is not entirely effective. Even the Great Wall ofChina, built by a million laborers and fortified over decades, cannot completely prevent invasion.Protecting enterprise networks from the outer world (exclusion) began to transition to informationsecurity with the advent of the extended enterprise. Information security is based on inclusion,granting external access to internal applications by following well-defined rules.Fig. 3 This diagram illustrates how multiple factors, including a company’s business context, corporate policy and regulatoryenvironment must be considered when developing the IT security framework, individual IT layer controls, and the reportsthat help a company monitor their effectiveness. Copyright © 2010 Trustwave Holdings, Inc. All rights reserved.
  • 8. Security organizations that can define rules, implement controls and facilitate regular, metric-basedreviews with stakeholders are flexible, dynamic and adaptable to today’s ever-changing securitylandscape. Assurance reviews drive future direction and policy. Effective reporting prescribes the nextsteps, to sustain what is working, change what is not and achieve future benchmarks. Progressivesecurity organizations implement business process controls to satisfy regulatory requirements, ofcourse, but also implement a complete framework for securing information and work to improvesecurity capabilities quarter after quarter. A holistic approach to security that combines businessprocess controls, identity management and technology infrastructure security balances exclusion andinclusion. This type of security management enables a business to achieve revenue goals and marketshare, while protecting the integrity and confidentiality of information assets.Trustwave Enables Everyday ComplianceSecurity organizations are unique. Size doesn’t matter. Large, global organizations, with complexinfrastructures may have 36 professionals working three shifts around the clock. Contrast this withcompanies with one to two people (who may not even work full time) focused on information security.Some companies have multiple regulatory requirements; others may just need to adhere to thePayment Card Industry Data Security Standard (PCI DSS). Government agencies share the diversity.What all the security teams have in common is that they are working toward the same results: fewerincidents, less disruptive audits and the confidence and trust of their constituents – whether they’repatients, cardholders, troops, taxpayers or shareholders. Security effectiveness and efficiency aredesirable goals for all companies, regardless of the budget. Trustwave is committed to identifying andprotecting sensitive data in every form in every environment. Our experience, knowledge and trustedtechnology put us at the leading edge of information protection, allowing us to offer solutions to helporganizations of all sizes secure data, mitigate risk and comply with industry regulations and laws.For more information about Trustwave and our solutions, visit www.trustwave.com or e-mailinfo@trustwave.com.About TrustwaveTrustwave is the leading provider of on-demand and subscription-based information security and payment cardindustry compliance management solutions to businesses and government entities throughout the world. Fororganizations faced with todays challenging data security and compliance environment, Trustwave provides aunique approach with comprehensive solutions that include its flagship TrustKeeper® compliance managementsoftware and other proprietary security solutions. Trustwave has helped thousands of organizations—rangingfrom Fortune 500 businesses and large financial institutions to small and medium-sized retailers—managecompliance and secure their network infrastructure, data communications and critical information assets.Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa,China and Australia. Copyright © 2010 Trustwave Holdings, Inc. All rights reserved.

×