Leveraging Compliance for Security with SIEM and Log Management


Published on

With the fast changing regulatory and threat landscape, organizations need to gain quick knowledge of how log management and SIEM solutions help them meet their compliance and security needs. The 2010 Data Breach Investigations Report highlights this issue, revealing that 86 percent of organizations breached had evidence of the breach in their logs. Had they found this evidence in a timely manner, they likely could have prevented much of the damage associated with a breach from occurring.

In this webcast, security and compliance expert Anton Chuvakin and Tripwire's Cindy Valladares offer practical strategies organizations can apply to meet their compliance needs and improve security with log management and SIEM solutions.

The difference between log management and SIEM solutions and why you need both.

How defining the problem you are trying to solve helps you choose the right solution.

A pragmatic approach to SIEM that ensures a successful compliance audit, but also improves security.

How SIEM and log management requirements tie in to various regulations and standards like PCI, HIPAA and NERC.

Additional steps organizations can take to improve security through the solutions they use for compliance.

Mistakes organizations make that undermine the organization's security.

Learn how solutions in the Tripwire VIA suite are a perfect fit for this pragmatic approach.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 2/3 of value in OWN data, ½ is spent protecting it!Forrester report: “Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost,or stolen, it changes state. Data that is ordinarily benign transforms into something harmful. When custodial data isspilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints.Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data alsoaccrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity.”+ infrastructure to handle either kind of data, business critical processes, etc!!!Consequences"PCI technology" or "PCI industry"Custodian vs owner of dataLaws made you secure 3rd party dataYou are free to screw yourself by losing your dataPCI vs "your risk"Might be protecting CC > your key data!
  • Another way to decide is to look at what problem you’re trying to solve with the tool. Over the years, the following areas where SIEM and log management tools can deliver value have emerged: Security, detective, and investigative: sometimes also called threat management, this focuses on detecting and responding to attacks, malware infection, data theft and other security issues. It is very useful to see this as two separate factors: monitoring and detection of security issues vs investigation and forensic analysis of security incidents.Compliance, regulatory (global) and policy (local): this focuses on satisfying the requirement of various laws, mandates and frameworks. Most of the mandates have the intention of helping you improve security, so there is a lot of overlap between this and the previous item.Operational, system and network troubleshooting and administration: specific mostly to log management, this use case has to do with investigating system problems as well as monitoring the availability of systems and applications.
  • Security Information and Event Management covers relevant log collection, aggregation, normalization, retention; context data collection; alerting; analysis (correlation, prioritization); presentation (reporting, visualization); security-related workflow and relevant security content. Typical uses for SIEM tools center around network security, data security as well as regulatory compliance.  On the other hand, Log Management includes comprehensive log collection, original log retention; analysis; presentation (search, reporting, and visualization); related workflow and relevant content such as reports and search queries. Log management usage is broad and covers all possible applications for log data across IT and even beyond information technology – but certainly includes security and compliance use. To summarize this, SIEM focuses on security while log management focuses on a broad use for log data. Most specifically, SIEM tools include correlation and other real time analysis functionality, useful for real-time monitoring. Log tools often focus on advanced search across all log data. Today, many tools combine select capabilities of SIEM and log management in a single product or product suite.
  • Security Information and Event Management = relevant log collection, aggregation, normalization, retention; context data collection; analysis (correlation, prioritization); presentation (reporting, visualization); related workflow and relevant content.UPDATE - see infoBoom Let’s further define what features can be called defining SIEM features; most organization will look for most of these features while choosing a SIEM product. The features are:1. Log and Context Data Collection includes being able to collect logs and context data using a combination of agent-based and agent-based methods.2. Normalization covers being able to convert most original logs into a universal format, usable for cross-source reporting and correlation.3. Correlation is used to describe rule-based correlation, statistical or algorithmic correlation as well as other methods that include relating different events to each other and events to context data.4. Notification/alerting includes being able to trigger notifications or alerts to operators or managers. Common alerting mechanisms include email, SMS, or even SNMP messages.5. Prioritization includes different features that help highlight the important events over less critical security events. This may be accomplished by correlating security events with vulnerability data or asset and identity information.6. Real-time views cover over security-monitoring dashboards and displays, used for security operations personnel. Such views are handy when looking at current system and user activity.7. Reporting and scheduled reporting cover all the historical views of data collected by the SIEM product. Some products also have a mechanism for distributing reports to security personnel, either over e-mail or using a dedicated web portal. SIEM reporting relies on parsing and normalizing log data.8. Security role workflow covers over incident management features such as being able to open incident cases, perform investigative triage, as well as automatically or semi-automatically perform other security operations tasks.
  • What is correlation? Different definitions given by different people.Dictionary: “establishing relationships”Why correlate events?Cross-device data analysisWhat else one might want to correlate?Events and …
  • First, compile a list of regulations that you have to comply with, focus in particular attention to areas where a SIEM or log management tool can be useful. In many cases, the list will contain only one regulation – but the one you absolutely must handle. Next, if possible, review other possible goals that SIEM can help you achieve. Deciding whether SIEM satisfies a critical business need – such as by as an enabling technology for your SOC– is an essential step.  Third, at this point you must decide whether you are prepared to work to make SIEM solve your problem – whether compliance or other. Despite help from the vendor and possibly consultants, there are areas where you have to work to make SIEM work. Now, acquire and implement the SIEM solution. This is where you work jointly with the vendor in order to build your initial implementation for regulatory compliance, such as PCI DSS.Now, start actually using SIEM for both “letter and spirit “ of the regulation. This is the most important step in the approach – one of the biggest mistakes organizations make in this area is thinking that simply owning a SIEM tool makes them compliant. In reality, building daily operational procedures and processes to go with your SIEM is the only way to do that. Sadly, few people remember that PCI DSS prescribes a large set of periodic tasks, from annual to daily (log review being the most well-known example of a daily practice) and not just “having logs.” Finally, expand the use case to beyond compliance. Only at this step you can plan for expanding deployment and solving other problems. The tips for that are provided in the next section. One way to quickly grow your security capability is on the incident response side. This is due to the fact that the easiest and most common security use for log management and SIEM tools - beyond compliance - is related to incident response and forensics.
  • Happy with LM? Then go -> SIEMPhased deployment!Filter some logs into SIEMHow to decide? Correlation, use cases, stakeholders, etcPrepare to build use cases slowlyThings to watch for while evolvingInitially increased workload: now you do more useful stuff!
  • SIEM first stepsSimple use cases that are your own: based on key risks to your business, key issues you’d like to monitor forSecurity monitoring for complianceTraditional use (if customer does not have preferred use cases and does not know how to find them)IDS/IPS and firewall analysisLogin trackingWeb application hacking
  • SIEM first stepsSimple use cases that are your own: based on key risks to your business, key issues you’d like to monitor forSecurity monitoring for complianceTraditional use (if customer does not have preferred use cases and does not know how to find them)IDS/IPS and firewall analysisLogin trackingWeb application hacking
  • SIEM use casesSOC – full real-time monitoringMini-SOC / ”morning after”Remote monitoring + investigationsCompliance status reporting
  • SIEM for Compliance Mistakes The most burning logging, SIEM and compliance mistake is simply this: thinking that to be compliant you have to have logs collected in a log management tool – and do nothing else. This mistake is as egregious as they come – simply reading the text of most regulations will uncover such items as log review, log protection, logging specific details for various events, handling exceptions and many other items. PCI DSS prescribes log review and log protection, HIPAA calls so monitoring, NERC asks for incident process ease; not a single regulations is only about storing logs. A second common mistake is focusing on the letter of regulations – and not their intended spirit. The best way to summarize it is: if you focus on security, you have a shot at being compliant and secure; if you only focus on compliance, you will likely not be secure and not compliant. Just us could the victims of recent breaches who were justifiably found to not be compliant. Finally, silo’d approach to regulations is unfortunately the norm today. Still, it does not make it right – it is still a mistake. Given a large overlap across regulations in what the mandate in regards to look logging, security monitoring, change detection, incident response and other security practices, it makes sense to implement this super set of requirements and not try to “chew” on regulations one by one, wasting resources and causing delays.
  • OR: Every time you think “Compliance OR security,” god kills a kitten!Profit = not ROI scam, but how to benefit from the fact that PCI exists.HACKER <- This is the enemy!This is NOT the enemy! -> QSASecurity first, compliance as a resultCompliance as motivation, security as actionPhilosophyDo you agree with "laws against stupid?"Tenuous connection of controls/practices vs outcomesCompliance is "easy", security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?"We might get hacked, but we will get audited"Age of irresponsibility' entitlementANTI-COMPLIANCE"Checklist mentality""Teaching for the test""Whack-an-auditor" gameInduction of "mandate=ceiling" thinkingNarrow focus on mandated controlsNo focus on controls effective for you!Lack of innovationSlow speed of mandate changesDifference in assessment qualityExtra diligence of post-breach assessmentTotal disconnection of compliance from security$0.71/month scansCompliance spending misaligned with riskUnhappy with compliance? Never did ANY security"PCI compliance has not been “operationalized” by 95 percent of merchants"
  • Conclusions  While some organizations, continue to try to degrade sensible security choir events to some minimum baseline, this and not a recipe to create customer trust and protect the data. Some of the recent challenges with SIEM and log frequently stem from the fact that powerful SIEM technology is purchased to address a compliance mandate – and to do so in narrow and short-sighted fashion. Following our roadmap to effective use of SIEM for compliance in beyond will allow you to avoid the mistakes and gain all the benefits you paid for when procuring a SIEM or log management tool. Next, you can then expand the use of a SIEM beyond compliance to security and operational use cases happens, focusing on improved incident response practices and then going to near-real-time automated security monitoring. This is the only way to gain visibility and thus control over your ever growing IT environments. This is also the only way to prepare for the onslaught of virtualization and cloud computing, which will muddy the waters of what information and IT assets needs to be protected. The final word on succeeding with SIEM is hereby this: start using the regulatory guidance, take it to heart, operationalize it, then expand to solving “bigger and better“ problems.
  • ×