|
|
|
Features
< Back
Sarbanes Oxley : Technology : Security
Log Management Is Important To Compliance
Only One Component; Comprehensive SIEM is Mandatory
By
Vijay Basani
|
|
Vijay Basani
Chief Executive Officer
eIQnetworks
|
We live in an era where laws and rules mandate information security and event management. In fact, many industries are challenged to comply with SIEM rules that mandate specific security-oriented capabilities, with log management representing only a partial requirement.
So while log management is extremely important, it is clearly one piece of the security operations management puzzle. Companies today cannot be lulled into complacency thinking that simply implementing a log management strategy will solve their larger security operations management and compliance management challenges.
Your ability to prevent, detect and respond to internal and external threats that could harm your network or sensitive data is no longer just an industry best practice. Today, these information security best practices have been replaced with numerous laws and regulations that mandate prudent security information and event management. While many people consider prevention idyllic, a company?s ability to detect and respond to security events is requisite. Detection and response are at the heart of SIEM, which makes it essential to an effective security operations management program.
Effective Security Operations Management is a Multi-Pronged Approach
SIEM helps an organization to integrate people, processes, technology and systems by enhancing its ability to monitor the network and use key systems and respond to security alerts in real time. A prudent SIEM process enables uncompromised audit trails, tangible evidence of internal controls and regulatory compliance. It also provides you with the ability to identify, measure, trace and verify that security measures are working and system performance is operating efficiently through a series of mandatory capabilities, which encompass the multi-pronged approach to effective security operations management through SIEM. These attributes include real-time monitoring, threat visualization, correlation analysis, secure log management, documentation, intrusion detection, rapid response and reporting, risk management and mitigation and validating the security of your architecture.
So what do you look for in a SIEM solution to meet these mandatory requirements?
• Monitoring & Correlation Analysis: Continuous monitoring and correlation analysis is the most effective way to prevent attacks and detect suspicious activity ? it?s also a regulatory mandate. Monitoring and correlation analysis plays a critical role in helping you identify the strong and vulnerable elements of your security infrastructure, as well as security breaches. Information pertaining to vulnerabilities and threats, attempted attacks and actual attacks must be continuously gathered and analyzed to successfully evaluate the effectiveness of the overall security program.
• Secure and comprehensive Log Management: Logging is the initial phase in a SIEM program. Log files are critical to the successful investigation and prosecution of security incidents, therefore best practices recommend logging all events from all IT assets. Secure log files (collection, aggregation, compression and encryption) also assist in effective and timely identification and response to security incidents and to monitoring and enforcement policy compliance.
• Alert and Respond Rapidly: SIEM enhances your ability to mitigate risks and the resulting negative effects by enabling detection, alerting and rapid response. Organizations must be capable of rapidly detecting, alerting and responding to security breaches to effectively mitigate risk and comply with regulatory mandates. If an organization can detect an attempted breach or violation early, it has a greater ability to lessen or eliminate the potential effect. However, detection alone won?t mitigate risks of an intrusion. Therefore, a mechanism for real-time alerting of new vulnerabilities, a security incident and degrading performance is imperative.
• Report and Audit: What you don?t know CAN hurt you! An effective SIEM program provides near real-time and comprehensive reporting to give you a holistic view of the organizations? security posture. It should allow various people to access information based on the role they play with the IT management and security enforcement. Proper analysis of the threats to your organization and potential vulnerabilities necessitate reporting tools that correlate key data from across your entire network and from all end-points that have access to the network. Reporting is mandated by numerous regulations. New regulations, IT governance, and board of director responsibilities for ensuring the protection of information assets now mandate that companies have reporting capabilities. It is essential that the reports you produce have the capability of providing meaningful assessments to a variety of levels within the organization from the executive suite to the technical labs. Secure, automated and concise logs create an irrefutable audit trail. When this audit trail is combined with a comprehensive reporting function, it provides valuable information for auditing security controls and systems. Auditors and examiners also look for adequate reporting capabilities to help validate proactive management of the information security program and mitigation of the risks to attacks and threats.
• Forensics and Investigative Analysis: You should have the ability to get a clear picture of the path an intruder takes in order for you get a comprehensive understanding of how to prevent or eliminate system wide or future breaches. An effective Forensics analysis should allow the security administrator or a compliance auditor to conduct ad-hoc searches of hundreds of gigabytes of archived, and encrypted log data using any filter or expression based search. This will allow them to quickly get to the root cause of the problems or violations. This can also be used as an effective tool in litigation to prove that a person has violated corporate IT policies or to prosecute an intruder by showing their activity.
Laws Aside, Security Operations Management is the New ?Best Practice?
Regardless of which laws and rules that your company must comply with, developing a comprehensive SIEM-based approach to Security Operations Management will assist in demonstrating that you have the right risk management practices and security controls in place for achieving regulatory compliance. As you develop your security program and risk mitigation strategy, be sure to implement prudent security information and event management practices. Doing so will ensure you have total command of your enterprise security posture.
|
|
|
|
