|
|
|
Features
< Back
Sarbanes Oxley : Technology : Internal Controls
Compliance ? Burden or Opportunity?
By
Dominique Levin
|
|
Dominique Levin
VP of Product Management and Business Development
LogLogic
|
To companies already struggling to control IT expenses, compliance might seem like an unwelcome addition to any list of priorities. In fact, many companies say meeting regulations today is a greater burden than was preparing systems for Y2K. As much as compliance is about complying with legal mandates and regulations, it also is an opportunity for companies to examine and improve IT and business processes and practices and to achieve a new level of risk mitigation and operational efficiency.
Compliance mandates force a critical examination of business and IT processes and practices. Such examination starts and ends with visibility and transparency into these processes and practices. Many regulatory and best practices frameworks recommend achieving transparency through logging ? the activity of collecting, analyzing and storing a complete audit trail of system and user activity. All organizations generate log data, but the information is often not collected systematically or stored securely. Traditional approaches of dealing with log data are based on home-built log management solutions or security information and event management (SIEM) solutions that are not scaleable and absorb significant resources. Many also lack critical features that could help prevent fraud and information leakage and improve overall operational efficiency.
The emergence of log management and intelligence as an industry illustrates the paradigm shift occurring in IT, as new enterprise-class solutions replace the homegrown scripts and SIEM products of the past to enable compliance, while also ensuring better all-around IT efficiency and data protection. Where it was once a siloed task, log data management is emerging as a best practice in ensuring operational effectiveness and mitigating risk.
Pete Boergerman, AVP, Senior Network Engineer and IT Security Officer, Citizens & Northern Bank says that before deploying an enterprise-class LMI solution, they didn?t have any centralized logging at all. ?Now we have an effective way of actively monitoring and analyzing our network log data, staying aware of inconsistencies and unusual user activity, and meeting compliance requirements,? he said.
Without a powerful log management solution, CIOs and IT organizations lack the visibility required to properly monitor their networks and respond to security, availability and performance issues effectively. Log management is an important element of any risk, performance and compliance management strategy.
An ongoing and automated examination of IT and business practices can illuminate processes in an organization that are wasting money and resources and point to better processes for managing data. Additionally, greater insight to log data can improve IT health by providing administrators speed and agility when responding to security and performance risks.
The burden of compliance
Compliance tasks can be tedious and time-consuming. Finding information for auditors takes hours, and organizing it into a usable format can be impossible without advanced reporting features that automate the process. Tight budgets limit headcount dedicated to compliance tasks, putting added strain on already taxed IT departments.
Although its clear that increasingly strict guidelines necessitate automated ways to collect, analyze, alert on and archive log data, most companies do not have a solution in place to perform these tasks efficiently. Analysts predict U.S. enterprises will spend somewhere in the neighborhood of $16 billion on compliance in 2005 (source: AMR). According to Gartner, the average company spends $2 million on SOX, and Accenture says the average bank will spend $61 million on Basel II over the next couple of years.
Despite the investment being made in compliance, companies are still failing to meet requirements. In fact, only 18% of hospitals and health systems can prove compliance with HIPAA security regulations, according to the AHIMA, and Gartner says two-thirds of all companies found material weakness in controls this year, with audit deficiencies expected to double until 2008. Why are they failing to comply? Organizations that rely on homegrown logging solutions lack the visibility and transparency into their infrastructure to meet the requirements. For example, collecting disparate pieces of logging information without an automated way to summarize and analyze that information in real-time does not provide an administrator enough information to pinpoint unusual and suspicious user activity. Manual activities, such as searching through log data in response to auditor?s questions, can make compliance efforts seem like a virtual black hole for IT budgets.
The problem is that the homegrown scripts and SIEM solutions of the past are no longer sufficient to handle the amount of data transversing corporate networks today, and are therefore costing companies a lot of money and resources, yet still failing to do the job.
Message rates have increased dramatically - about ten thousand log data messages are produced per second, adding up to around two terabytes of data per month. At the same time, shrinking IT budgets limit the technical personnel available to develop and maintain the scripts and rules needed to sift through the increasing volume of messages. Most solutions make it extremely difficult to pinpoint problems, and finding specific data can be like searching for a needle in a haystack. As a result, many companies believe they have access to the data they need, but in reality, most are unable to respond rapidly to security risks or compliance inquiries. They simply lack the data management capabilities to do so.
The cost of non-compliance
Managing and protecting the terabytes of data commonly generated by enterprise networks is a task that requires deep insight into network activity and the ability to react quickly should a problem - such as a security breech, system failure or internal leak - occur. Compliance frameworks define best practices for doing just that, and companies who do not comply face not only legal consequences, but also the risk of downtime, dissatisfied customers, and ultimately, lost revenue.
Each case of fraud costs companies an average of $15,000, and IT departments spend about 175 hours on remediation after a security incident. Corporations can be held liable, leading to legal debt and other related expenses. Additionally, brand damage resulting from waning consumer trust can cause huge losses in revenue. According to Gartner, by 2006, 20-30% of Global 1000 companies will suffer exposure due to privacy mismanagement. The costs to recover from these mistakes could range from $5-20 million per incident. In addition to legal risks, intellectual property leakage, such as shared trade secrets or pre-announced products, can cost companies millions in lost profits.
Effective log management can cut time to remediation significantly. One large financial institution slashed the time taken to respond to audit requests from four days to a matter of hours by automating critical log management and intelligence activities. Industry experts agree that a clear strategy for log data management is essential for compliance with risk mitigation and regulatory requirements. In fact, it?s impossible today to achieve compliance without one.
Across the board, frameworks require logs
Any compliance strategy must be clear on how to achieve visibility and transparency of IT and business processes. Best practices frameworks recommend using log data to provide greater insight into four critical IT processes in particular to achieve a more proactive approach to heading off potential pitfalls in information management. These four critical IT processes that can be monitored through log data are:
1) Authentication and authorization: No individual should have more rights than he or she needs to execute his or her assigned tasks. The organization should also maintain a complete record of access and activities.
2) Configuration and change management: No changes should be made without authorization. A record of what changes are made should be maintained so that the state of a system or application at a previous time can be determined.
3) Segregation of duties: A single person should not have the right to configure IT systems as well as audit, initiate or approve incompatible activities in those systems.
4) Documentation: All entities must be held accountable. Compliance should be documented and tested on an ongoing basis. The audit trail should allow for testing of the internal IT control framework as well as substantiating regulatory compliance.
Although requirements vary slightly from industry to industry, these four areas are largely consistent. Most regulatory groups also recommend retaining accurate network activity logs for anywhere from three to seven years. Administrators can be asked to report on specific log data at any point, so fast access to complete data is essential.
Homegrown scripts and many SIEM solutions require a high degree of technical expertise to deploy and maintain, and can be tedious and time consuming to use. They must be updated constantly with new business rules, and staff is often dedicated to this function. But even more worrisome is that this approach is reactive; scripts are only executed after the fact, when a network issue has already caused a problem, and the company has already lost money.
The only way to ensure compliance and truly protect the network is by having fast access to complete log data, and the ability to organize and report on the data for auditors, or drill down into the data to pinpoint specific issues without overtaxing IT resources.
Mandates For Log Data Management
The Basel II Accord
All internationally active banks must adopt similar or consistent risk-management practices and implement a comprehensive program of risk prevention, detection, analysis and management. The accord recommends ?retaining activity logs for 3 to 7 years.?
The CERT Coordination Center
CERT devotes over 100 pages or 25% of the Advanced Information Assurance Handbook to Log Management and recommends companies ?document a management plan for handling log files,? and ?analyze the log files on a periodic basis to look for suspect and unusual behavior and help you recover your systems.?
Federal Financial Institutions Examination Council (FFIEC)
FFIEC recommends that companies ?review access logs daily, create a historical repository of events, and share authoritative and accurate log data with senior managers.?
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA requires organizations to ?audit and monitor system and user activity across the entire network, identify and investigate security breaches and suspicious behavior, and maintain an audit trail of user and network activity,?
ISO 17799
This framework requires companies to ?review the results of the monitoring activities regularly,? and ?maintain audit logs for system access and use, changes made, faults, corrective action, capacity demands and utilization.?
North American Electric Reliability Council (NERC)
NERC says to ?document physical and electronic access to critical cyber assets via access records.? As a minimum, systems procedures shall address ?firewall management, intrusion detection processes and the retention and review of operator logs, application logs, and intrusion detection logs.
National Industrial Security Program Operating Manual (NISPOM)
NISPOM recommends that companies should ?schedule analysis of activity logs using automated tools? and ?review audit log reports at least weekly.?
National Institute of Standards and Technology (NIST)
NIST suggests companies ?analyze performance logs in real time to look for availability problems? and ?review user activity logs at least weekly for unusual or suspicious activity or violations.?
Public Company Accounting Oversight Board (PCAOB)
PCAOB requires steps to prevent or detect theft, unauthorized use, or disposition of the company?s assets that could have a material effect on financial statements.
SANS Institute
SANS publishes list of the top 20 vulnerabilities with the FBI which calls for log analysis and retention: ?Efficient and thorough logging is essential to effectively track down any potential security problems or unexplained behavior.?
Sarbanes-Oxley Act (SOX)
SOX recommends regular audits of log files and keeping a record of audit logs for up to seven years.
Effective log data management strategies
There are several components of effective log data management that must all be in place to help alleviate compliance woes and improve risk mitigation in enterprise networks:
1) Turn on logging on all devices
At the top of the list is complete log data collection and aggregation. Global 2000 organizations generate more than ten thousand log data messages per second - the equivalent of two terabytes of data per month. All of that information is needed to establish an audit trail for policy validation and compliance testing - not just warning messages and alarms. Therefore it?s essential to collect ALL of the data from all local and remote devices and store it in a central repository.
2) Deploy an LMI platform
Intelligent log management must go beyond the capabilities of SIEM and homegrown scripts to provide a broader range of user features and functionality. Such a solution can reduce the costs of compliance through automated collection, aggregation and retention of log data; simplified reporting and management; and more reliable risk mitigation. These features make log data easier to retrieve and organize for auditors, and the fact that the data is complete and unaltered ensures the audit trail will be there when an investigation commences.
3) Make alerting a priority
Meeting regulations shouldn?t be viewed as an ad-hoc audit event; it?s a real-time activity. Machine learning enables alerts to be set and sounded to deliver early warning to administrators in real time. To improve risk mitigation, administrators should be able to set a variety of behavioral and system alerts that trigger automatic notification when unusual or suspicious behavior occurs. Rules-based alerting allows administrators to predefine the state or policy that will cause a trigger. Other desirable features include automated statistical anomaly detection and intelligent threshold alerting.
4) Automate reporting
Meeting new compliance requirements can?t be dependent on IT alone. There must be a degree of automation that enables key business functions to access data at regular intervals and on-demand.
5) Automate audit activities. Automate evidencing the audit process
Saying you are doing due diligence isn?t enough. You need proof. Therefore, all data must be securely transmitted over the network to a reliable, scalable long-term storage solution. The data must be unfiltered to improve its credibility for compliance and legal investigations. Meanwhile, meta-logs of the same data must be kept separate from the archives to be used for analysis. This decreases the chances of anyone tampering with the raw data.
Additionally, any effective log management solution will allow for historical data mining. Being able to access and report on information about past network activity aids in system recovery after security or performance incidents, and searching through data at a highly granular level can accelerate problem resolution by a factor of ten or more.
Log now, mitigate risk
The rapidly growing market for LMI indicates that compliance has become a critical lens for assessing IT performance. But what?s really under scrutiny are traditional IT practices, operational processes and risk mitigation solutions. Compliance forces companies to take a look at their data management processes and find ways to improve them. As a result, it provides opportunity to optimize infrastructure and create market differentiation.
Implementing an effective LMI solution provides efficiencies in administration and troubleshooting, as well as valuable insight into activity and performance across the entire IT infrastructure to assist with mitigating security and performance risks and enable easier regulatory compliance.
Companies should implement enterprise-class log management solutions now to reduce costs and simplify operations, and prepare for ever more challenging regulatory requirements down the road.
|
|
|
|
