Steps to Security Success
A Best-Practice Approach to Security Management
Written by Ken Baker
You’re worried about data breaches or maybe you’re working toward PCI-DSS, FISMA or HIPAA compliance, but you’re not sure what more you need to do or where to start. You likely have some combination of firewalls, intrusion prevention systems, vulnerability scanners and AV software in place, but these systems generate more information than you can act on, and are completely siloed from each other. You know you need to address your compliance requirements for log collection, but how do you turn all that information from all your different systems’ logs into usable information? Also, from that information, you want to be able to easily investigate and quickly respond to suspicious incidents that occur on your network. On top of that, you don’t want to spend a lot of time and money on products that don’t end up addressing your needs.
In a recent discussion with Brian Singer, Solutions Marketing Manager for Novell Security Management, he outlined a security management model that addresses these concerns with a phased approach comprised of the following three main security management aspects:
- Log Management
- Security Information and Event Management
- Integration of Identity and Access Management
This phased approach is designed to help you immediately get more value out of your existing investments, and also allows you to grow and add more capabilities as you’re ready.
If an organization simply looks at its log data, it can often spot breach warning signs and stop breaches before they ever occur.
Start with Log Management
With any undertaking like this, the first question is where do you start? One way is to get started by determining and prioritizing your high-risk assets and your low-risk assets. Once that’s accomplished, you can bring in a log management product to collect information from all those you deem as high risk, which will likely include your firewalls, servers and mission critical applications.
The typical log management product collects data from different system logs and then stores that data for a specified period of time to give you a historical account of events that have occurred. With this data you should be able to get reports on what's happening in your environment to help you spot suspicious activities, changes, or trends, as well as to respond to audits or compliance requirements. (See Figure 1.)
According to industry analysts, about 80 percent of the time the steps that hackers take leading up to a data breach are recorded in the target organization’s logs prior to the breach. In other words, if an organization simply looks at its log data, it can often spot breach warning signs and stop breaches before they ever occur. This is why log management is a great place to start. It doesn’t require complex configuration and provides a fast return on investment.
However, there are some things you need to watch for when choosing a log management product. Cost is always an issue. Some products are simply too expensive and too complex. Some use proprietary data storage solutions that are difficult and costly to deploy and manage. And since you might need to store certain information for short periods of time and other information for longer periods, make sure your log management product supports multiple data retention policies.
For example, PCI-DSS requires the storage of log data for your systems for 90 days online and two years offline. While it’s critical to retain this data, you might not want to retain all your data for two years. This means you need a log management product with flexible policy management to handle different types of retention scenarios.
You should also be wary of products that claim to do everything at once. The reality is that it will take time to implement all the features in such products. And if you end up biting off more than you can chew, your project might not ever get off the ground. That’s another reason why a phased approach is best. You can implement what you need to demonstrate success at each phase.
Another major evaluation point is that your log management product not only needs to be able to collect log data from all your different systems, but it needs to be able to parse, normalize and consolidate those different data sets into cohesive reports that are easy to generate, interpret and use. Without this function, making sense of your log data from a collective enterprise perspective will be nearly impossible.
While log management is a great place to start for security management, you need to make sure you don’t choose a dead-end product. Taking a phased approach to security management requires that you can build on top of your existing log management product.
While log management is a great place to start for security management, you need to make sure you don’t choose a dead-end product. Taking a phased approach to security management requires that you can build on top of your existing log management product. Beware of products that store data in proprietary formats, can’t forward events, lack the ability to integrate or don’t have a peer in the area of real time event monitoring. Your log management choice needs to give you room to grow by providing a path to security information and event management. Novell Sentinel Log Manager provides this path, as well as addresses the other critical evaluation points you need to consider when choosing a log management product.