
These vendors have been carefully selected by us to ensure that they offer a full breadth of solutions based on the different criteria specified by the client. These factors typically include performance, resilience, scalability, cost as well as core functionality requirements.
It is essential to secure sensitive information over its full lifecycle, as some threats, particularly those related to internal fraud can be long-term activities. It is also important to be able to clearly articulate to auditors how this is done.
To enable auditors to go back several years to trace and to forensically examine security violations, compliance now requires security event logs from network nodes and key applications to be securely collected and stored for many years.
Compliance requires auditable reduction in operational risk
Operational risk reduction is a requirement of laws covering internal accounting controls, information security standards, best practice corporate governance codes and banking accords on capital adequacy, such as the Sarbanes-Oxley (SOX), ISO27001, London Stock Exchange Combined Code and Basle II. Achieving compliance requires increased regulation of sensitive information and the inclusion of IT-security processes and logs within audits. Financial institutions are required to:
- Make a risk-based evaluation of what security event data to log
- Establish the mandated log retention timeframes
- Establish policies for secure handling and analysis of log files
Technical Challenge
A major organisation has evolved a heterogeneous mix of technologies and devices from different vendors. In response to new business requirements and the relentlessly changing threat environment, there is a regular addition of new devices that can generate new types of log information.
A large network continuously generates high volumes of log data from high performance security products such as firewalls and identity management systems. Comprehensive monitoring of all event logs is a daily task for operational IT managers. Correctly interpreted, event logs enable unusual events and threats to be identified and remedial action taken. This is a time-consuming task that requires well-trained and highly skilled staff.
The wide range of log formats from different vendors greatly complicates log review. E.g. a recent Kerna customer needed to securely monitor the following logs: Windows 2003/NT network logs (active directory), LDAP, HP Unix, AIX, Oracle, SYBASE, IBM ACF2 mainframe, UniSys mainframe, PIX and Checkpoint firewalls, Vasco and RSA remote access systems, Barracuda spam classifier / blocker, BlueCoat proxy for anti-virus / spy-ware scanning and Tumbleweed email security.
Even for the same device type the data recorded by different vendors is typically different. E.g. PIX and Checkpoint firewalls record different data types; an IPtables-based firewall can log more details about packet headers than a PIX firewall.
Most network vendors provide their own management tools, which means it can be difficult to gain a correlated, comprehensive and real-time analysis of the extent and nature of unusual network activity. Different vendor management interfaces mean that log review is typically a sequential task. This increases the time taken to respond to a network attack and makes network managers reactive to events. This exposes the organisation to unnecessary risk.
A large network continuously generates high volumes of log data from high performance security products such as firewalls and identity management systems. Comprehensive monitoring of all event logs is a daily task for operational IT managers. Correctly interpreted, event logs enable unusual events and threats to be identified and remedial action taken. This is a time-consuming task that requires well-trained and highly skilled staff.
The wide range of log formats from different vendors greatly complicates log review. Even for the same device type the data recorded by different vendors is typically different. E.g. PIX and Checkpoint firewalls record different data types.
Most network vendors provide their own management tools, which means it can be difficult to gain a correlated, comprehensive and real-time analysis of the extent and nature of unusual network activity. Different vendor management interfaces mean that log review is typically a sequential task. This increases the time taken to respond to a network attack and makes network managers reactive to events. This exposes the organisation to unnecessary risk.
Log Consolidation reduces compliance risk
Log consolidation, which automates and centralises event logging and secure storage is the only practical approach to the regulatory and legal requirement to maintain logs for many years. Any such system needs to be scalable, high performance and have fast fine-grained search capabilities to be able to cope with the 3 fundamental problems of log management on large networks: the sheer amount of data, the high rate of incoming data and the lack of consistent log formatting.
Event logs should be collected securely from identified remote network resources as close to real time as possible. They should be correlated and displayed via a central monitoring station to give a coherent and informed over-view of network events and the full extent of a problem. The better log consolidation systems provide extensive auditing and reporting capabilities
To be useful in any legal dispute, log data needs to be securely transported, time-stamped and stored in original format. Relational databases are not suitable for this task, as they are too complicated and expensive to maintain and are too slow to quickly search up to terabytes of data for forensic analysis.
Normal practical considerations apply in terms of ensuring ease-of-use and minimising the cost of implementation and maintenance. Ideally, the management console should use a web-front end. To minimise total cost of ownership, it is important to avoid the need to install and to maintain agents on each network device.
Although a log consolidation solution will usually support a large number of vendor device types, it is not always possible to easily extract log information, especially for bespoke applications. Hence, there needs to be an API to enable the building of extensions.
Business Challenge
- Your business is highly dependent on core IT services. Its health depends on maintaining trust and security. As reputation is core to your value proposition, the market costs of bad publicity due to a security breach are likely to be far larger than any legal and financial costs.
- Regulatory compliance drives your business to focus more on operational risk reduction and internal threat management. Audits require long-term storage of IT-security event logs.
Important event logs to monitor
A risk based evaluation of what security event data to record will typically log:
- Firewall events
- Network and host events
- Intrusion detection system events
- Remote access activity
- Operating system and administrative access
- Application access
Changing threat profile
Malware such as viruses and spam are a highly visible threat and sophisticated attacks, such as a spam-bot distributed denial-of-service attack, can paralyse large parts of the business for days. Aside from direct losses, it may cause a confusion of highly unproductive organisational activity and damage important partner relationships.
Although far less visible, the threat posed by organisational insiders may be even greater and be far more difficult to detect: E.g. fraudulent manipulation of financial data may be a subtle background activities happening over months or years and intellectual property may be consciously or inadvertently sent by a disgruntled employee to a competitor.
Efficient Incident Response
An IT-security incident should trigger a structured response that requires review of all security logs. The quality of response will depend upon:
- The availability of sufficient well-trained personnel who recognise threat patterns (even new types) in very high volumes of data.
- The degree of scenario-based contingency planning that can both enable and inform co-ordinated action.
- The timely ability to gain a clear understanding of the full nature and extent of a problem.
Business Value
Log consolidation can be a cornerstone of regulatory compliance. However, its benefits are felt most immediately in incident response, as it provides a single comprehensive overview of network activity and a highly efficient process for searching and correlating events in real time.