What is one of the most important and often misunderstood security compliance requirements?
Why, tracking and monitoring access to network resources, of course.
Every regulatory compliance initiative — and every discussion of network security best practices — involves log analysis. It’s really the only way to see what’s happening on your network. Unfortunately, it’s easier said than done.
In part one of this three-part series you learned that being compliant can lead to a false sense of security: Real security comes from a combination of network best practices, employee education, policy enforcement and continuous vigilance. Part two taught you that no matter what your size is, you’re a target: Whether you’re dealing with insider abuse or facing unseen and unknown international hackers, the risks to your business are real.
In this third and final article, we’ll discuss the ins and outs of compliance mandates and network security best practices.
Most networks have a variety of equipment from multiple vendors including routers, firewalls, switches and a combination of operating systems like Windows, Linux and UNIX. Add specialty devices like intrusion detection or prevention systems, core applications for identity and access management and central databases and you are easily generating millions of events daily. It’s easy to understand why many choose the path of least resistance when it comes to this area of compliance.
The letter of the law requires that log data be collected and analyzed. For example, PCI regulations require that it be analyzed daily, but what exactly do they mean by analyzed?
Many companies opt for simple log aggregation and log management processes that collect the data and run a few reports, but ultimately provide no real insight into the health and security of the network – which does not fulfill the regulatory requirements.
Every month we read a new headline about a company that has had millions of credit cards or identities stolen. Forensic investigations are usually able to piece together how the intruder gained access, what applications they installed, and ultimately how the data was captured and transported. Nearly all of this information and insight comes from collected log data, but having the ability to retrace the steps of the hacker was little comfort to the organization or their customers.
Greater visibility equals better security
Staying out of the headlines means analyzing your network’s log data. Some organizations turn to managed service providers for log analysis; however, it’s important to understand that outsourcing the work does not mean outsourcing the liability.
Managed service providers simply won’t take on the legal responsibility of monitoring your network for breaches and abuse, and it would be unreasonable to expect that they would. It’s also unreasonable to expect that managed service providers can master the details of your network, business and employees with sufficient depth to recognize when seemingly normal network behavior is actually suspicious or even malicious behavior.
For many organizations the answer to the dilemma is security information and event management (SIEM). SIEM sits in the center of the network and aggregates and analyzes log data from all core network security products while delivering real-time analysis, event correlation, notification and even response. Simply stated, SIEM is like a watchdog that is trained to monitor the network’s critical assets and bark — or bite — intruders.
Hindsight is 20/20. It’s easy to analyze recent breaches and discuss the role SIEM technology could have played to prevent or minimize the damage. The technology is designed to track user access, application installation and execution, file access, database queries, USB usage, wireless access and it’s exceptionally suited for correlating these behaviors with properties that are unique to a given business – giving SIEM a distinct advantage over forensic technologies.
Compliance mandates should be common sense best practices for network security but how do you know whether the systems are working? Can you be sure that employees with privileged access aren’t abusing those rights? What actions are vendors taking on the network? How will you detect a network configuration mistake? All of these questions are on your auditor’s mind. Are they on yours?
Michael Maloof is chief technology officer at TriGeo Network Security.