Download to read offline
![“We consistently find that nearly 90% of
the time logs are available but discovery
[of breaches] via log analysis remains
under 5% ”
2010](https://image.slidesharecdn.com/ensuringsecurityandcomplianceinadatadeluge-110627103803-phpapp01/75/Ensuring-Security-and-Compliance-in-a-Data-Deluge-24-2048.jpg)
Uploaded byTripwire
Ensuring Security and Compliance in a Data Deluge
The document discusses the challenges of ensuring security and compliance in the context of increasing data complexities and cyber threats. It highlights the inefficiencies of current solutions in detecting breaches and the high costs associated with maintaining security and compliance. Tripwire is presented as a solution provider offering automation to enhance visibility, reduce manual efforts, and improve breach detection and response times.
More Related Content
Similar to Ensuring Security and Compliance in a Data Deluge
Ensuring Security and Compliance in a Data Deluge
- 1. Ensuring Security & Compliancein a Data Deluge
- 3. Barriers Expanding threat Market is consolidating Existing technology To Success landscape; more and leaning on isn’t providing cybercrime with strategic vendor expected ROI, sophisticated relationships to is too expensive and adversaries reduce TCO complex, and only of existing solutions delivers data
- 4. Barriers Expanding threat Market is consolidating Existing technology To Success landscape; more and leaning on isn’t providing cybercrime with strategic vendor expected ROI, sophisticated relationships to is too expensive and adversaries reduce TCO complex, and only of existing solutions delivers data
- 5. Don’t knowwhat I don’t know Prevent Outages Too much data to sift through Protect Sensitive Data Cost of being secure, compliant and efficient is too high and labor intensive Prove Compliance
- 6. Don’t knowwhat I don’t know Prevent Outages Too much data to sift through Protect Sensitive Data Cost of being secure, compliant and efficient is too high and labor intensive Prove Compliance
- 8.
- 9.
- 11. OPERATIONS SECURITY Longer MTTR $$$$ Unplanned Work Shareholder Value Budget Pressure Branding
- 12. No Visibility Drifting Desired State High-risk Temporary Success Time
- 13. Raw Log Data No Change Intelligence Detect Change Good & Bad No Security Data Landfill So What! Report Change Good & Bad
- 14. The lack ofcompliance in PCI DSS Requirement 11 …. Knowing (not just recording) what is actually occurring within networks and systems is …. critical. 2010
- 15. Raw Log Data Event Event Correlation Alerts Too Many Alerts Too Investigate Miss Complex Scenarios
- 16. Were changes made? Who made them? Did they enable events?
- 17. Were changes made? Who made them? Did they enable events? FTP Enabled
- 18. Were changes made? Who made them? Did they enable events? FTP Enabled 10 failed logins
- 19. Were changes made? Who made them? Did they enable events? FTP Enabled 10 failed logins FTP event to foreign IP
- 20. Were changes made? Who made them? Did they enable events? FTP Enabled Login successful 10 failed logins FTP event to foreign IP
- 21. Problem Discovery Long time to discover breach
- 22. Problem Discovery
- 23.
- 24. “We consistently findthat nearly 90% of the time logs are available but discovery [of breaches] via log analysis remains under 5% ” 2010
- 25. A Better Approach VISIBILITY INTELLIGENCE AUTOMATION Across the entire Enable better, Reduce manual, IT infrastructure faster decisions repetitive tasks
- 26. Raw Log Data AmI Secure? Is Policy Impacted? change event log event Events of Interest!
- 27. Raw Log Data Dynamic Policy Testing Auto-retest to policy Change Process Analysis Close breach-to-discovery time gap Immediate time-to-value Reconcile toto usual Business Authorization Exclusive as Tripwire! Change windows User ID Multiple conditions
- 29. Raw Log Data Normalization & Correlation • High Speed Log Archival • Events of Interest • Google like Index • Structured Data • Fast Search • Complex Reporting • Intelligent Reporting • Data visualization
- 30. 5 failed logins Loginsuccessful Windows event log cleared Logging turned off Host not generating events Policy test fails
- 32. Maintain Desired State Non-stop monitoring & collection Dynamic analysis to find suspicious activities Assess & Achieve Alert on impact to policy Remediate options to speed remedy Time
- 33. Correlate to Correlate to Bad Changes Suspicious Events
- 35. Change, Breaches, Audits and Outages Happen. TAKE CONTROL. Tripwire is a leading global provider of IT security and compliance automation solutions that enable organizations to protect, control and audit their entire IT infrastructure
- 36. Answers For YourQuestions
Editor's Notes
- #9 TZ: Ed, what exactly is this “data deluge problem?’Ed: Over the last several years many organizations have put collection systems in place to meet PCI requirements. They put in log management and FIM along with other security tools. And they have been collecting a ton of data ever since. So they have plenty of data to meet compliance requirements. But the problem is they have too much data for it to be useful. And it is almost impossible to quickly know if any of the data is indicating a security issue. It’s like trying to find a single land-mine in a massive land-fill before it goes off and caused damage.TZ (to transition to next): and this here is some data to show what the “deluge” actually means in terms of volume.
- #10 TZ (to talk to this slide). TZ (to transition to next slide – TZ to ask Ed): So what is the challenge of security and compliance information being trapped in this big, what you called a “landfill”?
- #12 ER: The cost of this time delay is enormous.These organizations not only suffer monetarily, their “mojo” is also badly damaged.They loose shareholder trust and value.Their name remains in the press and presentation like this for a very long time.TZ (to transition to next slide): Going back to our title which is about ensuring security and compliance in light of this vast sea of data, we at Tripwire offer a Pragmatic approach to compliance and security. Let’s spend a moment talking about what that means.
- #15 Having tools in place that just capture the things that are changing does not help close the time gap problem.Capturing data is NOT the same as knowing when something BAD is happening.And isolating the bad from the good is what is needed to make it possible to find and fix bad events within minutes of them happening.
- #22 Automated help is needed to enable these organizations to more quickly know their data is at risk due to a breach activity.They need to close the breach to discover time gap.
- #23 Automated help is needed to enable these organizations to more quickly know their data is at risk due to a breach activity.They need to close the breach to discover time gap.
- #24 ER: You have to collect the data. That has always been a requirement. The problem has been that far too many merchants ended their PCI projects at this point. How you collect is important. That’s something you need to look at. But you cannot stop here. You must also have an automated way to analyze the data to determine if security issue exist.TZ (to transition): can you talk more about what actually means?
- #25 TZ: Ed, what exactly is this “data deluge problem?’Ed: Over the last several years many organizations have put collection systems in place to meet PCI requirements. They put in log management and FIM along with other security tools. And they have been collecting a ton of data ever since. So they have plenty of data to meet compliance requirements. But the problem is they have too much data for it to be useful. And it is almost impossible to quickly know if any of the data is indicating a security issue. It’s like trying to find a single land-mine in a massive land-fill before it goes off and caused damage.TZ (to transition to next): and this here is some data to show what the “deluge” actually means in terms of volume.
- #28 This graphic shows how the ChangeIQ capability of Tripwire Enterprise works.Dynamic Policy Testing: Change to configuration settings triggers an automatic retesting of each setting to what policy defines it should be. If any settings fails it testing as a result of the detected change an alert is issues and remediation advice is provided to return the setting to an approved state.Change Process Analysis: High-risk changes are dynamically compared to any number of change process criteria to determine if the change meets that criteria and, therefore, typical and expected. If it meets any of the criteria the change is promoted to the change database. If it does not meet any of the criteria an alert is issued. Detailed change property information is then available to speed corrective action.Reconcile to Authorization: Specific changes can be automatically compared to Request For Change authorization tickets.
- #29 The result of ChangeIQ is this, the majority of detected changes can be intelligently filtered from further investigation.Leaving only those changes that have caused a policy violation or for other reasons are suspicious and need additional investigation.
- #30 This graphic shows the Tripwire Log Center architecture for managing and archiving log events as well as dynamically correlating suspicious log activity through its event management capabilities..As log events flow into Tripwire Log Center they are stored and managed in a flat-file data store (which is similar to how Google works).This allows extremely fast and global search across the entire log data store.And at the same time, as the log events flow into the system they are dynamically normalized and correlated in memory to spot specific sequences of events that pose a known threat to the environment – Event Management.Any of these events of interest are also written to a built-in relational database for complex reporting and data virtualization requirements.
- #31 The result of Event Management is this, the majority of detected log events can be intelligently filtered from further investigation.Leaving only those events that have are suspicious, based on rules, and need additional investigation.ER: This is really what you want to know. 5 failed logins on it’s own followed by a successful login is probably a medium to low alert. In fact, this is so common it’s contributing to SIEM overload. But, getting an unrelated alert for each one of these every step along the way won’t help. We think you need this context to see all of these happening in concert so you can quickly see these complicated patterns that impact security. TZ (to transition to next slide): so what does Tripwire do to help solve this?
- #35 Tripwire VIA delivers intelligent threat control by providing…Visibility across your infrastructure to know what is happening at all times.Intelligence to know which changes or events are suspect and may put your infrastructure and data at risk of compromise.Automation to help you to categorize high risk changes and events, remediate certain conditions, and automate compliance requirements such as reporting.