CISOs and their security programs face overwhelming pressure to renew their focus on data protection. This pressure stems from external forces of advanced threats, a multitude of compliance obligations, and internal forces of new business initiatives. This combination of factors leads to a complex set of data protection requirements. But CISOs and security programs face further complexity meeting those requirements due to the virtual explosion in data volume and the variety of locations where that data may reside. If that's not enough, the scope of data to be protected includes not only customer data, but internal data and system data as well.In this webcast, Jim Maloney, CEO of Cyber Risk Strategies, LLCand Mark Evertz, Security Solutions Manager at Tripwire discuss:
The evolution of information security and why it has renewed its focus on data protection
The challenges CISOs and their security programs face in securing data, including increasing volumes of data, multiple locations of data, compliance obligations and more
Why data protection efforts must go beyond customer data to also protect internal data and system data
How data protection can serve as a business enabler
How solutions like the Tripwire VIA Suite can help protect essential organization data
Five steps CISOs can take to significantly improve their organization's information security
2. Common Data Protection Pitfalls – And How You Can Avoid Them Jim Maloney, Cyber Risk Strategies, LLC Mark Evertz, Tripwire, Inc. September 28, 2010
3.
4.
5. The data protection challenge Controls Complex external threats Changing business requirements Growing compliance obligations Increasing data volumes and distribution Systems Data
6.
7. Increasing scope of data Customer Data Internal Data System Data Personal data Business plans Firewall configurations Financial data Intellectual property Router configurations Health records Customer lists Platform configurations Cardholder details Employee lists Accounts & Permissions Criminal records Contracts Event logs
8.
9.
10. Many compliance obligations Compliance Item Primary Locale Industry Data Focus UK Data Protection Act United Kingdom All Customer Data Data Protection Directive European Union All Customer Data Privacy and Electronic Communications European Union All Customer Data Federal Information Security Management Act United States US Federal Agencies System Data Privacy Act of 1974 United States US Federal Agencies Customer Data Health Insurance Portability Act United States Health Customer data (Health Care) HITECH Act United States Health Customer Data (Health Care) Identity Theft Red Flags Rule United States Financial Customer Data (Identity Information) Gramm-Leach-Bliley Act United States Financial Customer Data (Financial Information) Payment Card Industry Data Security Standard All Firms that are part of the credit card processing cycle Customer Data (Cardholder and Sensitive Authentication Data)
11.
12. Pitfall No. 2 – A compliance nightmare Training Audits Technology Policies BCP IRP Laws and regulations Standard of due care Industry standards Best practices
13.
14.
15.
16.
17. Who is being targeted? 2010 Verizon Data Breach Investigations Report
18. What data is being targeted? 2010 Verizon Data Breach Investigations Report
19.
20. The (d)evolution of information security 1970 1980 1990 2000 Information Computers Internal Networks External Networks Applications Clouds 2010 User Behavior
24. Must Make Better Use Of Existing Data Vulnerability Assessment Switches & Routers Firewalls, IDS & IPS Databases Applications “ We consistently find that nearly 90% of the time logs are available but discovery [of breaches] via log analysis remains under 5% ” 2010
25. Events of Interest! change event log event Improved Data Protection: Correlation of Change Events & Log Events Raw Log Data Am I Secure? Is Policy Impacted?
26. Example: Correlating Log & Change Events 5 failed logins Logging turned off Host not generating events Windows event log cleared Login successful Policy test fails
36. Tripwire VIA: IT Security & Compliance Automation Correlate to Bad Changes Correlate to Suspicious Events Policy Engine Event Database
37. V ISIBILITY Across the entire IT infrastructure I NTELLIGENCE Enable better, faster decisions A UTOMATION Reduce manual, repetitive tasks Tripwire VIA
Over the last several years many organizations have put collection systems in place to meet PCI requirements. They put in log management and FIM along with other security tools. And they have been collecting a ton of data ever since. So they have plenty of data to meet compliance requirements. But the problem is they have too much data for it to be useful. And it is almost impossible to quickly know if any of the data is indicating a security issue. It ’s like trying to find a single land-mine in a massive land-fill before it goes off and causes damage.
Scenario—the power of integrating file integrity monitoring, configuration policy management with log and event management: A critical application setting goes from in Compliance to out of compliance (green to red) The investigation reveals who made the change - an unknown user Drilling in to the Event Logs related to the application server reveals that user ID was created by a known Administrator, and then given elevated privileges All of this data was turned in to information - a critical application is about to go down, a type of denial of service All this information was available through the TE Console Bottom line: By correlating Compliance, Change and Event data, individual non-suspect changes are shown to be a high security event
This is really what you want to know. 5 failed logins on its own followed by a successful login is probably a medium to low alert. In fact, this is so common it ’s contributing to SIEM overload. But, getting an unrelated alert for each one of these every step along the way won’t help. We think you need this context to see all of these happening in concert so you can quickly see these complicated patterns that impact security. so what does Tripwire do to help solve this? Let me show you.
Here ’s a snapshot of a high-level dashboard to give you a lay of the land in your IT infrastructure based on policies and standards in place. In this case, based on FISMA compliance. You’ll note, a real-time scoring element, details on a failed test and any associated changes based on those failed tests. But beyond the colors and pie charts, the devil is in the details
As an person watching this all behind the scenes, you are notified when something like "FTP Publishing" service failed the "disabled" test put in place, meaning someone has enabled something against your security or compliance policy. For you, this is a major RED FLAG, but may not be malicious. You need to know more.
So you start piecing together what happened or is happening…This start up type indicates that this has happened and the type represents an auto start… after that policy test. Odd…
So you go into the "Log Center Events" tab and step through building the forensics on who enabled it…to get the 4ws Who, What, When and Where of the attack.
As you do you ’ll notice "myuser" enabled it, but as you progress through the log events, a user named "sjohnston" is the one who created "myuser" and then gave "myuser" admin privileges.
From there "myuser" began to wreak havoc. Point being that through a critical change found in Tripwire Enterprise, as it impacts a compliance regime like PCI, FISMA for govt. SOX or some other prescribed standard or security control, we were able to discover a "breach or potential breach “ through integration with our next-generation Security Information and Event Management solution, Tripwire Log Center.
Here ’s another view of what myUser’s been up to that represent a breach. Successful login; group member added and given admin privileges and then another user account created. You’ve pinpointed who did it, when they did it and what they did…in minutes rather than days, weeks or months…by correlating log events with change data. Now you can take action.
As Verizon pointed out…the precursor to breaches or breaches in progress live in your log data. The question is…do you have the tools to find the culprit before damage is done. If you can find suspicious log behavior and correlate it with suspicious file or system changes in near real time you can maintain a constant state of compliance and improve your ability to protect your most sensitive data.
And it ’s all spelled out for you here. In addition to unified dashboards with compliance and security Red or Green status using easy to understand widgets and reporting tools, Tripwire VIA helps you fight through a deluge of data with real-time visibility, true threat detection and response and that ability to automate remediation procedures to stop or reduce the impact of an attack.
The integration of Tripwire Log Center, Tripwire Enterprise and the dynamic alerting we deliver through that integration elevates seemingly innocuous events by identifying complicated patterns of behavior that represent a potential compromise of sensitive data or critical systems. Tripwire VIA is a product suite that represents the tight integration of Tripwire Enterprise and Tripwire Log Center. It is the only IT Security and Compliance solution available that allows you to correlate changes of interest to events of interest to bring an unprecedented new level of Visibility, Intelligence and Automation across the enterprise to help automate and improve overall IT security and speed IT compliance.