In the movie Wall Street, Gordon Gekko, the iconic corporate raider played by Michael Douglas, said that “the most valuable commodity I know is information”. It was a key line of dialogue foreshadowing the events that followed in the 1987 film, but applying that same sentiment in today’s fluidly connected mobile workplaces is just as relevant. The average enterprise is more interconnected now than what could have been thought possible 20 years ago, which has also created more urgency over how porous a company’s information security can be.
Indeed, the concern over compromised data from outside interlopers is something IT security managers will always have to contend with, but the concern is now two-fold. Regulatory oversight and log data must now work hand-in-hand to ensure that security protocols are maintained from within the organization as well, particularly as it pertains to compliance.
Considering that many breaches occur internally from employees who can access key data, information security auditors have begun focusing on segregating duties and assessing the level of access their clients’ employees have, as well as what the controls are around the security administration process. While this largely relates to securing and protecting data, it also applies to maintaining compliance with a growing number of regulations.
The Madoff Touch
The climate was already in the throes of change prior to the global economic crisis, but the fallout from disgraced Wall Street tycoon Bernie Madoff’s downfall in 2008 initiated a greater need to add controls and processes around securing data, while being more vigilant about who can actually access it. This has made it hard to find an industry that isn’t touched by regulations that mandate the collection, retention and review of log data.
Despite the renewed awareness over protecting a company’s information assets, security experts are still wagging their fingers at executives who don’t take a proactive approach to dealing with it before auditors start knocking on their doors.
“[IT managers] make the mistake of considering compliance simply as a series of check boxes rather than aligning the compliance mandates with a comprehensive information security strategy”, says Mike Reagan, VP of marketing for LogRhythm, a log management firm based in Colorado. “Given that log data represents the digital fingerprints of everything that happens in an enterprise, automating the collection, review and analysis of logs should be a key starting point, not the end-point.”
| "Logs capture evidence and alert on suspicious activity, and while compliance regulations are changing to encompass these new risk factors, they will always lag behind the new and evolving threats" |
| Mike Reagan, LogRhythm |
Making such a proactive jump would first require that an enterprise centralize the collection of log data from all log sources on the network, he says. The next step, Reagan suggests, would be to automate the analysis of those logs to find the meaningful events, and then follow that by using the information inherent in all the logs to gain a real-time understanding of what’s happening in and around the enterprise.
“Deployed and configured properly, a comprehensive log and event management solution can empower organizations every day to efficiently comply with regulations, secure their networks and optimize their IT operations”, he says.
Patricia Titus is the chief information security officer (CISO) for Unisys Corp., and was the first CISO at the Transportation Security Administration (TSA), where she oversaw the implementation of information security processes. She agrees with Reagan that creating a strong system security plan with a single reference point can only better serve auditors who will ultimately review them to verify their veracity. After all, non-compliance, if exposed, runs the risk of keeping companies from public trading and possible disciplinary action that includes fines and stiff penalties.
“We had a customer [at Unisys] that was identified as non-compliant to necessary regulations, so we had to have an open discussion with the client in order for us to continue working with them, while knowing of this violation”, Titus explains. “After discussing the situation with the client, we laid out a strategy for compliance using some compensating controls. This allowed security controls to be heightened and increased in other areas to cover this particular area of non-compliance.
We then assisted our client by determining a remediation plan, outlining the funding and human resources needed, and submitting the request to senior leadership. This was a value-add to the client, giving them options for identifying the weaknesses and laying out a strategy to correct the deficiency.”
Reagan tells a similar story of a large national restaurant chain that was due to undergo an external PCI audit. The audit, performed by an internal QSA (qualified security assessor), determined that the company would not pass the PCI mandates related to log and event management and file integrity monitoring. Reagan says that the company deployed LogRhythm, and managed to automate the collection and analysis of millions of logs that the 800 restaurants were generating, thereby delivering PCI-compliant reports and alerts to the recipients in the chain that needed them.
“The customer said they would’ve been dead in the water without LogRhythm, but instead they sailed through their PCI audit”, Reagan adds.
Different Business, Same Story
Of course, different sectors must adhere to different regulations that require audits anywhere from quarterly to annually. This is especially true of health care and retail operations, which usually have access to sensitive and personal information that could lead to serious repercussions if a breach were to take place – or even if a company was to be exposed for non-compliance, which could chip away at consumer confidence. HIPPA and HITECH are just two of many regulatory regimes that health care has to deal with. Retail has its own laundry list, but even government agencies at both the federal and state levels must answer to their own regulators as well.
| "Information security can’t be looked at after the fact anymore" |
| David Roath, PwC |
Embracing that inherent need was largely behind a 58-page survey report PricewaterhouseCoopers conducted earlier this year. Its “2011 Global State of Information Security Survey” brought together opinions from 12 800 security executives covering more than 135 countries. The report’s findings are echoed by David Roath, a partner at PwC, who is responsible for risk assurance. He feels that companies, by and large, are looking for “comfort” in ensuring that their data is secured and confidential, but that a number of clients are asking for “a very specific, customized” report and opinion over a set of criteria.
As an example, he cites the American Institute of Certified Public Accountants (AICPA) and SysTrust, which was jointly developed with the Canadian Institute of Chartered Accountants (CICA). The US Department of Commerce offers it as a one-stop service that allows CPAs to test and verify a system’s availability, security, integrity and maintainability.
“The challenge with information security is that the world we live in now is evolving so rapidly that clients are having challenges in keeping up with the change in the processes and the underlying technology that they have to build to meet those business requirements”, says Roath.
The increase in regulatory focus, plus the concern over data security threats and vulnerabilities to company assets, along with identifying and managing third-party risk is why clients are looking for third-party assurance, he adds. What makes it even more challenging from the organizational perspective is that numerous auditors may be coming for different purposes, adding complexity to operations when being audited from a number of different directions.
The Web of Complexity
The complexity, however, also relates to where the vulnerabilities are coming from. Now that internal and external boundaries of enterprise networks have blurred with the expansion of the web, social networks and personal channels of communication have become standard in the workplace. Despite the importance some organizations place on them as tools, failing to secure them can be even more dangerous. “Logs capture evidence and alert on suspicious activity, and while compliance regulations are changing to encompass these new risk factors, they will always lag behind the new and evolving threats”, Reagan asserts.
| "All threats are moving to the web because it’s a lot more likely now that the real danger will be in clicking a link rather than opening an email attachment" |
| Lee Graves, eSoft |
Lee Graves, a threat communications specialist with Colorado-based eSoft, knows all too well how insidious the web can be. He says eSoft has amassed a database of over 450 million URLs in 53 categories – five of which are purely on security – that are deemed to be malicious, spam, phishing, adware or compromised sites. Moreover, 1.1 million virus signatures have been collected that protect against 5.6 million viruses and malware threats floating in cyberspace. Those numbers represent an almost 10-fold increase from only two years ago.
“All threats are moving to the web because it’s a lot more likely now that the real danger will be in clicking a link rather than opening an email attachment, so more and more is being pushed through the browser”, says Graves.
With all the browser-based tools being used within enterprises, and the advent of cloud computing in the mix, new technologies only increase the delivery mechanisms for potential breaches because they transfer data in a number of different ways. This is why each new technology has to be addressed in a security mindset, because hindsight never protects against a breach.
“Information security can’t be looked at after the fact anymore”, Roath says. “Thankfully, we’re now seeing chief executives looking for that level of comfort over information security, whereas it used to be something CSOs or CISOs would deal with.”