Professional Documents
Culture Documents
2
Proactive remediation can
administrator must sift through the
also include pre-defined role management,
multitude of event log files using
as well as provisioning and de-provisioning
native operating system tools, which
of accounts, which helps to separate duties
is an extremely time-consuming task
among administrators.
usually performed on a reactive, ad-hoc
basis. These native event viewers are Regulations and corporate
insufficient and not intended to be used compliance
as true event log management solutions
Many government regulations are
because they provide no means of:
designed to govern the practices of
• Collecting event data from multiple
corporations, protect individual’s rights
systems and applications
to privacy, and spur adherence to
• Generating reports to support an audit
standard best practices. The following
• Generating alerts on critical violations to
organizational policies
sections provide a general working An effective audit
knowledge of four key regulations
that affect IT departments in the log management
Effective audit log management
solutions do exist, however, and they will
United States and, to a lesser extent,
international organizations doing
strategy includes
be discussed later.
business in the Unites States: managing event
◦◦ The Health Insurance Portability and
Remediate
Accountability Act (HIPAA) logs from servers,
Many regulations require an organization
◦◦
to have a written remediation policy
◦◦
The Gramm-Leach-Bliley Act (GLBA)
The Sarbanes-Oxley Act (SOX)
workstations,
that specifies the actions that will be
taken in the event of a corporate policy
◦◦ The Payment Card Industry Data Security network devices,
Standard (PCI DSS)
violation. Informing all internal users
of the consequences of a violation
and applications to
can help deter them from committing
Health Insurance Portability and
Accountability Act (HIPAA)
collect, store, and
violations, and specifying the steps to
take in the event of a violation can help
The Health Insurance Portability and report on event data.
Accountability Act was signed into law
minimize its impact. Auditors often look
on August 31, 1996. Virtually all health
at remediation policies very closely; they
care organizations, including health
are a key component of any external
care providers, are affected by HIPAA
audit.
requirements. The intention of HIPAA is
to enforce standards for privacy, security,
At least two forms of remediation are
and electronic interchange of health
available: proactive and reactive.
information. In particular, HIPAA requires
◦◦ Most organizations are reactive.
health care organizations to:
Organizations achieve reactive remediation
◦◦ Ensure the confidentially, integrity, and
by de-provisioning accounts in the event
availability of all electronically protected
of a violation or inappropriate activity,
health information that organizations
automatically disabling an account
create, receive, maintain, or transmit
after a pre-defined action has occurred,
◦◦ Regularly review records of information
or shutting down a server due to an
system activity, such as audit logs,
unapproved change. This type of policy
access reports, and security incident
normally passes an audit because no
tracking reports
IT department can effectively control
◦◦ Establish, document, review, and modify
everything.
a user’s right to access a workstation,
◦◦ Proactive remediation techniques, which
transaction, program, or process
more organizations are beginning to
◦◦ Monitor login attempts and report
implement, prevent unauthorized or
discrepancies
unapproved changes. For example, an
◦◦ Identify, respond to, and document
organization can prevent the modification
security incidents
of business-critical objects in Active
Directory, applications, or systems.
3
HIPAA dictates the use of security process, whereby the condition of a
standards, privacy standards, electronic financial institution’s controls is just one
transaction and code sets, and unique indicator of its overall security posture.
employer identifiers when managing Other indicators include the ability of
and maintaining critical data. While the institution to continually assess
compliance is federally mandated, its posture and react appropriately in
compliance also benefits health care the face of rapidly changing threats,
organizations by providing patients technologies, and other business
with confidence that their sensitive conditions.” Institutions must prove
personal data is safeguarded from their readiness by conducting regular
inappropriate use. self-audits of their enterprises and
documenting the results.
4
to comply with these new rules for fiscal If the answer to either of the preceding
years ending on or after November 15, questions is yes, then the organization
2004; other companies have received needs to be compliant with the PCI
extensions. Under the law, the retention DSS regulations. One key poin t to
time for records is generally five understand is that these regulations
years; however, retention periods vary apply equally to organizations of any
according to a number of variables. size, whether they have one employee
IT executives need to formulate and or one million employees.
formalize an enterprise-wide strategy
to best manage such data now and into Key requirements of the PCI DSS
the future to reduce the enterprise’s The PCI DSS version 2.0 took effect on
large exposure and ensure future data Jan 1, 2011, bringing more clarity to
integrity. the existing set of requirements and
introducing new ones. The PCI DSS is
...companies and
Payment Card Industry Data composed of six best-practice areas and their auditors are
Security Standard (PCI DSS) 12 high-level requirements for securing
What Is the PCI DSS? protected data that include strong required to retain
In September of 2006, five payment card
brands (Visa Inc., MasterCard Worldwide,
access controls, user activity monitoring,
change tracking, and record retention.
more records than
American Express, Discover Financial before, including
Services, and JCB International) formed Key requirements of the PCI DSS 2.0 are
the PCI Security Standards Council to outlined below. all documents and
develop a new standard for securing
their customers’ payment card data. The Establish reliable & meaningful
data that relate to an
members of the council jointly require audit trails audit.
all merchants who process payment Today, almost all elements of
card transactions with their brands organizational IT infrastructure—
(credit cards and signature debit cards including operating systems, network
embossed with a council member’s devices, firewalls, databases, and
logo) to comply with the new standard, applications—have some kind of auditing
the Payment Card Industry Data Security built in. However, native audit trails
Standard (PCI DSS). All banks that inherit the following issues that are
process payment transactions associated difficult to manage:
with these cards are responsible for ◦◦ Unmanageable volume of generated
ensuring their merchants meet the events —In a typical IT environment,
standard, and penalties for failing to the various systems log gigabytes of
comply with the standard can be severe. event data daily and provide no native
log consolidation tools. Therefore,
Who Is subject to the PCI DSS? organizations risk losing event data when
PCI DSS has broad applicability. In order logs roll over. Since no one can tell
to determine whether a company is beforehand what log data will be needed
subject to the PCI DSS compliance, when bad things happen, it’s critical to
answer the following questions: ensure that all audit data is captured and
◦◦ Is the business any of the following? saved in a reliable manner.
◦◦ Card acquirer ◦◦ Cryptic descriptions of events—Most
◦◦ Merchant native audit logs were added as an
◦◦ Processing agency afterthought once the main functions of
◦◦ Does the organization store, exchange, or the system or application they belong to
transmit payment card data on any of the were developed. That’s why a disconnect
following systems and devices? exists between what the system or
◦◦ Database or application servers application puts in its logs and what
◦◦ Workstations administrators would like to see in the
◦◦ Firewalls logs to understand what specific users
◦◦ Routers actually did in the system or application.
5
Without appropriate tools, administrators
system security. This process must meet
are hard-pressed to distinguish the most
the following requirements:
important events from a myriad of others.
◦◦ Staff in charge of system security must be
Moreover, they must then try to obtain all
notified of all changes to critical system
the information they need from the cryptic
files. Every time a critical system module
descriptions recorded in the logs.
or data file is changed, the appropriate
personnel should get a notification that
To enable administrators to use native
kicks off a change review process.
logs effectively, a solution must address
◦◦ As part of the change review process,
both of these issues as well as cover
administrators must have tools to
the gaps in what the native logs record.
distinguish legitimate changes from
accidental and unwanted ones that can
Preserve audit data in long-term storage
The PCI DSS The PCI DSS regulations require
◦◦
impair normal business operations.
If a file change under investigation is
organizations to collect audit data
regulations require located anywhere on the network and
deemed inappropriate and in violation
of the established security policy, the
organizations to store it for an average of at least two
years. Organizations often underestimate
organization must be able to roll the
change back before it adversely affects the
collect audit data their log storage needs and run into
business.
significant issues when they run out of
located anywhere the storage they allocated upfront.
Establish & enforce separation of duties
on the network Track user access to protected data
Organizations must implement the
principle of separation of duties to
and store it for an The PCI DSS requires organizations to
prove “who did what” for each user
separate auditors from administrators
6
folders—Daily
companies put auditing and security
◦◦ Failed access attempts—Weekly
policies in place to maintain control over
◦◦ Successful resource access—Monthly
their infrastructures. Some companies
capture daily events, such as successful
According to the Verizon 2012 Data
logons and logoffs, so they can
Breach Investigation Report, 96 percent
understand who is on their networks at
of victims subject to PCI DSS had not
any given time. Another example of an
achieved compliance because they
internal security policy is the requirement
had either not conducted regular
to track the activity of privileged users
assessments or had never assessed and
who have been granted the rights to set
validated their controls.
up new user accounts or remove users
from the enterprise. The rights granted to
Compliance benefits
Compliance with any of the four
these users can easily be abused, leaving
the organization exposed to an internal
Organizations
compliance regulations discussed above
has broad benefits:
security threat. have to make sure
◦◦ Avoiding fines and loss of business—The that audit trails
Summary
costs of noncompliance often exceed
the costs associated with maintaining
Maintaining compliance with external
regulations or internal policies means,
are tamper-proof
compliance over time. If organizations fail
to comply, not only will they face stiff fines
at a minimum, keeping track of all and protected
electronic documents (data files, email,
and penalties, but partners and customers
images) that are covered by those from unauthorized
may take their business elsewhere, where
they can be assured that their interests are
regulations and tracking access to those
files. Upon request, organizations need
modification.
protected.
◦◦ Increased security and operational
to prove, through reporting, that they Attempts to clear
have established appropriate control
efficiency—Compliance initiatives often
over access to resources. With the right up the log may be
increase security and operational efficiency
across the organization. When IT staff
auditing solution, organizations can
capture, collect, store, and report on
a sign of covering
starts implementing security best practices
described in compliance regulations,
events related to security-sensitive user tracks after a
activity (such as account creation, group
they often expose security holes and
membership changes, and permission successful attack to
inefficiencies in internal processes that the
organization was unaware of.
changes) and also notify the responsible
personnel of events that might indicate
the compromised
◦◦ Visibility into day-to-day IT operations
—Looking into what resources IT staff
an intrusion. system.
can access and what actions they are Best practices for managing
permitted to perform is often eye-opening. compliance
Organizations often find that employees
Now let’s turn our attention to best
have access to sensitive data they shouldn’t
practices for implementing a compliance
see or that multiple administrators use the
solution. These best practices can be
same account and password. Knowledge
grouped into three key steps:
is power, and this knowledge will empower
1. Planning—Determine how the regulation
organizations to improve the security of
affects the organization. What functionality
their data and IT systems.
is needed from a solution, and which parts
of the infrastructure are involved?
Internal security policies
2. Selecting—Review vendors and solutions
We have discussed several external
that best meet the requirements.
regulations that are driving corporations
3. Deploying—Consider issues that may occur
to perform audits and prove compliance.
when rolling out the compliance solution.
Organizations may also put into place
internal controls, typically through their
Planning
IT, human resources, legal, security,
To successfully implement an IT
or compliance departments. Many
compliance solution, organizations
7
certain actions that might be detrimental—
must plan carefully and pay special
such as domain renames—even when
attention to both technical and business
attempted by properly provisioned users
needs. They must also be keenly aware
who would normally have the right to take
of how external regulations and internal
the action.
policies affect the organization and IT
◦◦ Provisioning automates the process of
in general. Here are the recommended
assigning rights to users and groups based
steps for planning the deployment of a
on variables set in their profiles.
compliance solution:
8
archiving functions of the compliance Configuration management
solution usually store a large amount The solution must be able to take
of data. Estimation can be a time- a complete snapshot of a system
consuming and laborious task, which is and compare it against a known or
best handled by automation. recommended state of another system.
Collection of data as it relates to configuration Detailed reporting should be provided in Information should be stored in a secure,
information for the server environment should categories, such as permissions, policy settings, streamlined storage area to enable the organi-
Assess be automated. and hard-ware/software information. zation to track changes over time.
The capture, aggregation, and storing of events Detailed reporting and alerting is required to Because audit logs can grow quickly, compres-
involving user access to sensitive information provide both periodic review of user activity sion is a key to long-term storage.
resources should be automated. and security.
Audit/alert
Alerting should be available through a choice of
technologies, such as email or SNMP, and easily
integrated into existing processes and tools.
Provisioning should be automated to Detailed reporting should be available to Information should be stored in a secure,
ensure that all users are assigned the correct ensure that all users are assigned permissions streamlined storage area to enable the organi-
permissions based upon their roles in the in accordance with established security policy zation to track changes over time.
Remediate
organization. and business needs.
9
Authentication between agents and servers
Two data storage types—A complete
◦◦ Optional agent-less collection—The ability
product must have two data storage
to optionally collect data without agents is
types: a file repository structure for
required in environments where the use of
archiving and database support for
agents is prohibited on important servers for
analysis and reporting.
security reasons
◦◦ Backup technology—The ability to easily
◦◦ Caching of local data—The ability to cache
back up collected event data is mandatory
audit logs as they are being created in a
since some regulations require long-term
separate, secure location to prevent anyone
storage of event data.
from tampering with and losing audit
◦◦ Granular restore—The ability to restore
log data
selected granular portions of event
◦◦ Guaranteed message delivery—The ability
data is a must.
to withstand network or server outages
◦◦
Delivery of alerts to and maintain a list of events that occurred
Consolidation technology—For widely
distributed networks or networks with
during the outage. Local agent-based
responsible persons alerting for critical events can also be useful.
slow links, the product must be able to
automatically consolidate event data from
should be fast and Performance
multiple data stores on a scheduled basis.
◦◦ Retention management—The ability to
reliable and include Two important criteria for evaluating
delete unnecessary granular portions of
performance are the number of events
a number of the agent collects per second and the
event data from the data storage is required.
10
and de-provisioning all user accounts Once organizations are armed with a
and associated permissions based on comprehensive technical view of the
certain variables in the account. environment, they need to determine
the number of management servers
Change control and their locations on the network to
The solution should enable the effectively distribute the load. Take
administrator to require a chain of into consideration the following issues
approvals by email before an actual that may affect the performance of the
change takes place in the infrastructure. solution.
11
consumption whereas reporting and Audit and event log retention settings
analysis storage servers should be Another important step in the
optimized for fast analysis of data. deployment is to verify that the audit
◦◦ For archiving, consider using a long-term settings for the selected part of the
storage system rather than a database environment are appropriate. In other
system. A database system requires words, confirm that the systems will
several times more space and therefore register only events needed to satisfy
has a higher total cost of ownership than the requirements outlined earlier and no
specialized file-based repositories or native more so as to limit the amount of storage
file formats (.EVT, for example) due to the solution requires.
the cost associated with purchasing and
maintaining more disks and the cost of If audit logs of a particular system,
Confirm that underlying database management software. application, or device do not provide
a satisfactory level of detail for critical
the systems will For analysis and reporting, a database types of user access or system changes,
is preferred since the ability to analyze, consider solutions that offer proprietary
register only events correlate, and report is paramount. methods to capture needed audit
no more so as to for different parts of the environment. regulations like HIPAA, SOX, or GLBA,
or to meet internal security policies,
limit the amount of Forensic analysis of security incidents and managing the infrastructure effectively
suspicious user activities usually involves can eliminate stress.
storage the solution digesting large amounts of historical data
12
Whether to comply
with federal
regulations like
HIPAA, SOX, or
GLBA, or to meet
internal security
policies, managing
the infrastructure
effectively can
eliminate stress.
Figure 1. Storage consolidation allows widely distributed networks to regularly collect
data locally and consolidate it into a central database.
13
For More Information
© 2012 Dell, Inc. ALL RIGHTS RESERVED. This document DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS
contains proprietary information protected by copyright. No ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING
part of this document may be reproduced or transmitted in TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
any form or by any means, electronic or mechanical, including IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR
photocopying and recording for any purpose without the A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO
written permission of Dell, Inc. (“Dell”). EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL
Dell, Dell Software, the Dell Software logo and products—as DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES
identified in this document—are registered trademarks of Dell, FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS
Inc. in the U.S.A. and/or other countries. All other trademarks OF INFORMATION) ARISING OUT OF THE USE OR INABILITY
and registered trademarks are property of their respective TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED
owners. OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no
representations or warranties with respect to the accuracy or
The information in this document is provided in connection completeness of the contents of this document and reserves
with Dell products. No license, express or implied, by estoppel the right to make changes to specifications and product
or otherwise, to any intellectual property right is granted by descriptions at any time without notice. Dell does not make
this document or in connection with the sale of Dell products. any commitment to update the information contained in this
EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS document.
SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
About Dell
Dell Inc. (NASDAQ: DELL) listens to customers and delivers
worldwide innovative technology, business solutions and
services they trust and value. For more information,
visit www.dell.com.
Dell Software
5 Polaris Way
Aliso Viejo, CA 92656
www.dell.com
Refer to our Web site for regional and international
office information.
WP-BPG4itGovcompi-US-TG-2012-12-13