For many security information event management (SIEM) clients, the Verizon “2010 Data breach investigations report” brought good news, showing a reduction of nine percent in attacks by outside agents. The bad news was that insider attacks were up a whopping 48 percent! The report also indicated that attacks by hackers were down 24 percent while data breaches involving privilege misuse were up 26 percent.

What does it all mean? It means that SIEM isn't enough to protect your data, your privacy, your money or your business. Good SIEM systems can block outsider attacks effectively, but rarely can tell you who the attacker was – something that's very important to know when it is an insider doing the attacking. When the SIEM system is tightly integrated with your IAM (identity and access management) system, however, not only can you discover the breaches much more quickly, block any “holes” but also identify who is behind the attacks and take appropriate action. For example:

Recently, a Canada Revenue Agency tax collector used her privileged access to view thousands of records to find high-income citizens whom she could later hit up for a business she ran on the side.

One company required three signatures for large payouts, which they could prevent embezzlement. One manager got around this by maintaining the accounts of departed subordinates then using their electronic signatures for the “independent approvals” needed to okay expenditures she created. By the time this was discovered, she had stolen $11 million.

A man working for an airline's customer service department reported false complaints, using his personal bank account as a beneficiary. Then he authorized payments. The employee also reopened old cases against the airline and replaced the original account by his own.

All three might have eventually been stopped by a good SIEM system. But if that SIEM was tightly coupled with a good IAM system, then little or no loss would have occurred. The Canadian tax agent would have been tagged for unusual activity and called in for an explanation. The “puppet master” would have been blocked by the company's de-provisioning system (part of IAM) from accessing the electronic signatures of her subordinates. The airline employee would have been stopped by a Separation of Duties (SOD) policy, part of an access governance module of a good IAM system.

Only an integrated IAM and SIEM system can monitor and correlate all of these activities. Only a system with a real-time, enterprise-wide view can prevent them from occurring. By combining security monitoring with identity management including access management and user provisioning, you can deliver business process automation that provides users with the appropriate resources, validated in real time, to ensure compliance with company policies—eliminating the gaps that have left so many companies at risk. If your solution isn't doing that, it is time to take a second look at the options.