From Logs to Logic: Best Practices for Security Information Management

Gretchen Hellman
2006 EDPACS: The EDP Audit, Control, and Security Newsletter  
As cyber-criminals get smarter and smarter, staying one step ahead of emerging security threats is getting harder and harder. Seemingly every day, news reports are filled with hair-raising stories about computer networks and corporations being terrorized by worms, viruses, hackers and identity thieves. More than ever, companies need to pay strict attention to network security, not only to defend against attacks and protect customer data, but also to satisfy a growing list of government
more » ... ns like Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), California's privacy breach notification law SB1386, and the Federal Information Security Management Act (FISMA). Organizations large and small have attempted to protect themselves by pouring millions of dollars into technology-enabled security solutions like antivirus gateways, firewalls and intrusion detection systems. But this has led to a new problem: crippling complexity. As a result, companies are now burdened with trying to manage dozens -sometimes even thousands -of security devices and systems from many different vendors. This number of disparate devices generates a deluge of data, often billions of events per day, primarily consisting of false alarms. These false alarms can overwhelm security operations and waste valuable time and money by leading security analysts on a fruitless hunt for random events. With so many event logs generated each day, identifying perimeter security, insider threat and compliance issues within this sea of information can be an impossible task. This article takes readers through best practices for turning technical data points into business-relevant information including: • What technologies are available to help with this problem? • What data sources will yield security relevant information? • How to institute an effective monitoring and review program. • How to make a log review program apply to policy. • What are the best practices for conjoining security information with business risk? Meanwhile, government regulations like SOX, HIPAA, SB1386, and FISMA have raised the stakes when it comes to protecting sensitive data and processes, including the integrity of the financial reporting process and the protection of personally identifiable information (PII). Businesses are often compelled to report weaknesses in financial controls, Know the Meaning of Correlation Correlation is critical because it allows for accurate and automated prioritization and identification of true threats and compliance issues in a business relevant context. But, like many SIM terms, the word correlation lacks a standard definition. SIM technologies that claim to perform asset, vulnerability and event correlation achieve this with varying methodologies and degrees of success. Issues to research include:
doi:10.1201/1079.07366981/46050.33.12.20060601/93398.1 fatcat:anfykdpw5nhzrmzuycofqok5o4