This action might not be possible to undo. Are you sure you want to continue?
For Improved Compliance & Risk Mitigation
© 2006, Counterpane Internet Security, Inc.
Today. real-time security monitoring lets administrators detect attacks as they happen. The security benefits of monitoring and managing logs are compelling. detection and response. Security is a process. Aside from its enormous forensic value. alarms. Logs are filled with security gold. and log monitoring/management is naturally about process. As long as there is crime. cameras. The risks of the Internet aren’t going away anytime soon. Counterpane provides tools for enterprises to deal with their logs networkwide. and this means real-time log monitoring. but often that’s not enough for a product to succeed in the marketplace. these solutions will be a critical component of any network-security system. and they’re certainly not going to be “solved” by some magic technological solution. but that gold can be hard to extract it from the overwhelming mass of data. Compliance is more concerned with process than products. September. not a product. Counterpane Internet Security. If security is a combination of prevention. Compliance drives enterprises to take an active role in network security. Inc. Easier said than done. 2006 . network security is primarily driven by compliance requirements. Compliance also compels enterprises to be able to go back and analyze forensic data about intrusions and insecurities. Counterpane Internet Security. and that has further pushed log-based security solutions into the mainstream. etc. then monitoring is the basis for any detection-andresponse system. Inc. Log monitoring and management are the network analogs to physical security processes: guards. and this means log management.Log Management for Improved Compliance & Risk Mitigation Page 2 Introduction Bruce Schneier CTO. © 2006. Security monitoring has long been an important part of network security.
Counterpane Internet Security. and that they be stored against common time Senate Bill 1386. The more common profile arises from increased regulatory compliance demands. one way or another. hosts. analyzes (by human and through automation). correlation. where companies are required to preserve comprehensive records of application usage and data access. all of which are backed by SLAs with simple. data to notify the data subject if reason to believe the data’s security has been compromised exists. which they refer to as Log Management. and reporting through automated processes and by skilled security analysts are essential. it simply has to be done. Log management is a necessary component of any solution addressing this demand. log collection and storage alone is not enough. 2006 . Who is the "typical" customer of Log Management services.Log Management for Improved Compliance & Risk Mitigation Page 3 “Log Management” Defined The term “Log Management” is often misunderstood by vendors and users.” Clean system logs. baselines. and stores logs from networks. and critical applications. The typical customer fits one of two profiles. That law scales and in a single repository. and what problems is this organization trying to solve? The demand is fueled by government and industry mandates. correlates. unambiguous penalty language. To achieve broader compliance and more effective identification and mitigation of security threats. it is tremendously important that are critical to protect an detailed logs be preserved according to uniform data retention enterprise under California’s standards. Inc. True 24x7 real-time monitoring. provide early warning of attacks and are the enterprise’s protection from a serious security breach. where they recognize that centralized access to audit logs provides tremendous advantages of Business Law and Computer speed and convenience when investigating security incidents. Security. not a product. coupled with rigorous monitoring. this position tend to have fairly sophisticated information attorney and author of security infrastructures. This is a process. ranging from Sarbanes-Oxley to California Senate Bill 1386 to the PCI Standard for merchants and banks and NERC CIP for The second profile is more technical in nature. Benjanmin Wright. Companies in utilities. “System logs In such environments. asserts. Clean system logs are the enterprise’s proof that it has no reason to suspect a compromised. Many MSSPs are just now announcing basic capabilities for collecting application logs. Why Outsource Log Management? Demand for data privacy and protection audits is skyrocketing. September. companies look for solutions that combine ease of integration with flexible data retrieval options. © 2006. The archive must be tamperrequires a holder of personal resistant and offer rapid searching and reporting capabilities. Counterpane's integrated Log Management is a managed service that collects. alerting. As a result. analysis. This service is augmented with 24/7 monitoring and real-time security alerts. IT controls are taxing already-stretched IT departments.
be they fragmented systems of audit reporting. system administrators are waking up to the perils of ignoring log data. Inc. reduce total cost of ownership. leveraging the best practices and rules writing of a large customer base to provide a more complete. and benefit from best practice guidance on the implementation and operation of monitoring and managing logs. Over half of IT managers being surveyed indicate that they are not happy with their current log management and intend to make changes in the future. © 2006. and enterprise organizations are recognizing the risk of a security breach that could lead to consequences far more damaging than financial loss. Do customers typically have a good understanding of their environments and security issues. 2006 . Tarnished brand is one example. automatic capture and fast analysis of logs. more cost-effective solution than the homegrown. Adding a critical layer of expertise and resources. Business leaders can assume that certain customers will not renew and other potential customers will not engage the first time if they do not trust the organization in question. The requirements of today’s compliance activities necessitate a higher degree of intelligence.1 At the same time. Counterpane Internet Security. They are often surprised with detailed usage information about applications. but sometimes there are malicious applications. or are they often in for a surprise? Enterprise IT departments typically don't realize the full extent of activity on their networks. the breach of customer trust is another. 2 1 A recent study by SANs Institute entitled The Log Management Industry: An Untapped Market reveals more than ninety percent of log management is being done with homegrown processes. Based on best practices for demonstrating compliance. because it aggregates the expertise of network analysts to add a critical layer of informed insight and auditing experience. and/or general inability to store all IT system logs for three to seven years. Counterpane’s Log Management is a more effective approach for protecting an enterprise’s critical information assets. Log Management empowers enterprise security teams to work smarter so organizations can focus on and excel in their core businesses.Log Management for Improved Compliance & Risk Mitigation Page 4 Increasingly. This paper demonstrates how enterprises can leverage the strength of Counterpane’s log management to achieve federal and industry compliance. do-it-yourself approaches. ports. Essentially. and protocols. and integration with a broad range of systems through open log services. Counterpane leverages best-of-breed technology to provide universal log processing. lacking forensic ability to demonstrate security incidents.2 Enterprises are also finding they must grapple with the fragmented and time-consuming process of mapping network activity to audit reporting to meet compliance guidelines. Counterpane takes the solution to an even higher level. September. This is usually because the desktop machine population has a wide variety of tools individually installed by users. none of which originate from 'official' devices on the network. enterprises are burdened by the limitations of home grown processes. Log Management Services Feature Overview Reputation damage is difficult to quantify in terms of total dollars. Trojans and rootkits might also be installed. Traditional log management solutions that involve complex rules writing and homegrown solutions are no longer an adequate solution for enterprises.
viruses. security hacks. delivering a sophisticated. 2006 . Counterpane’s Log Management services are designed to streamline and centralize audit reporting of security incidents and provide enterprises with the forensic ability to respond to security incidents. Counterpane Internet Security. Enterprise organizations must also monitor and validate that they’re actually adhering to those controls. COBIT 4. Counterpane's Security Operations Centers (SOCs) provide correlation. are urging enterprise organizations to enforce business policies and IT controls. Customers can generate highly customized reports from the templates. Source: Counterpane Internet Security. including those for Sarbanes-Oxley. September. including networking. as well as concerns about national security and corporate governance.0 and ISO17799. Through real-time data analysis.Log Management for Improved Compliance & Risk Mitigation Page 5 A multitude of regulations and standards. servers and homegrown applications. enterprises will be able to benefit from real-time. applications and network downtime or customer service problems and takes action accordingly. accurate and rapid response to emerging risks. © 2006. Inc. Through this solution. Counterpane's Enterprise Protection Suite collects and processes 100 percent of the enterprise logs from any connected data source. Inc. Counterpane receives immediate alerts to risks of fraud. analysis and reporting. ranging from risk management like Basel II to privacy mandates like HIPAA. system logs and compliance requirements. storage. HIPPA. 24x7x365 monitoring and management of devices. compliance inquiries and internal threats.
normalize security incidents and trends within Counterpane’s Socrates correlation environment. servers and devices in the network. rather about creating a scenario of ongoing analysis that continuously improves the posture of an enterprises security. Inc. applications. documents. and delivers immediate response. storage engine. How It Works Collecting and storing Data Enterprise organizations can more accurately meet regulatory compliance requirements and effectively mitigate risks when they have the ability to access. real-time alerting and reporting functionality • Comprehensive tools Major Benefits Counterpane’s Log Management benefits enterprises in five key ways: Preserves 100% of logs in unaltered form. Delivers a cost-effective solution to store and process terabytes of logs without requiring investment in a costly SAN infrastructure. These sources include the Internet. and allows for immediate detection if some safety fails. Counterpane removes enterprise organizations' log management burden while simultaneously reducing capital and operating costs. As a managed service. 2006 . databases. alerting and reporting • Raw log archiving with search capability • Deep queries. Counterpane’s Log Management simplifies the collection of data from all applications. incorporating the best-of-breed log management solutions with its core competencies in security incident detection and remediation: Counterpane’s Core Competencies • Most flexible correlation of security events and alerts of any MSSP • Real-time inspection • Human analysis • Guided remediation • Other proprietary feeds Enhanced Capability for Log Management • Log collection. financial programs and network devices. in real time and for forensic purposes. critical information yielded from the a vest number of data sources. © 2006. In summary. Counterpane’s Log Management emphasizes process. Satisfies explicit data retention requirements in many high-profile government and industry regulations. Counterpane Internet Security.Log Management for Improved Compliance & Risk Mitigation Page 6 The required ongoing analysis defined within most compliance requirements is not about storing logs. giving customers immediate utility without a time-consuming development cycle. Enables alerting on huge volumes of raw log content without transmitting sensitive information outside the customer premises. Provides a variety of pre-defined report templates. September.
only capture 5% of data and deal with a fraction of logs coming out of devices. Because it is managed by Counterpane. detect suspicious activity for analysis and investigation. the customer does not need to deploy a high-touch agent infrastructure. Secure data transfer and scalable storage Counterpane’s Log Management provides data integrity for distributed enterprises with features like time stamping. The log management appliances are placed in the customer network and connected to Counterpane Security Operations Centers (SOCs). application servers. In many enterprise organizations. allowing data collection from all devices. and IBM AIX). Inc.. for example. Then.000+ rules Counterpane manages. Plus. The majority of the relevant data is currently overlooked by these solutions. Through open routing. This setup ensures that data is credible for use in legal investigations. © 2006. to demonstrate compliance to auditors and prove that the IT controls and policies necessary to protect the network are in place. these solutions lack the scalability required to meet changing business needs. Upon collection. along with greater visibility across the IT infrastructure. applications and operating systems while providing reporting and alerting capabilities. customers have full transparency to the information. which takes innumerable man hours and excessive effort. This information is subsequently passed to a team of Counterpane analysts working 24/7. SIEMs. These appliances collect and retain a complete audit trail of user and network activity. September. enterprise organizations benefit from the 200. Importantly. wasting corporate resources and slowing response time to compliance inquiries and problem remediation. IT must collect. Log Management ensures secure data transfer to keep raw. 2006 . Open routing enables key log data. reports and alerts to be seamlessly and rapidly integrated with existing management tools and platforms. and failover. Counterpane’s Sentry device picks up the logs and performs an initial triage and a quick sort analysis of the data. and all homegrown and off-the-shelf applications. the data travels over a secure tunnel to Counterpane’s Socrates. Log data is captured from major operating systems (such as Windows. Counterpane Internet Security. UNIX. where highly trained security analysts monitor and manage incoming data. At all times. Linux. Regardless of the data’s origin. encryption. store and sort through up to two terabytes of data per month. which views patterns and trends and identifies any problems or anomalies.Log Management for Improved Compliance & Risk Mitigation Page 7 Organizations that have been using homegrown scripts to sort through data are increasingly finding these scripts to be inefficient in handling the volume they generate. information can be used by other systems across the enterprise. proxy servers. They can take advantage of the infrastructure already in place. Putting organizations equally at risk is that these solutions do not assure data integrity. unaltered logs safe and tamper-proof. Sun Solaris. Architecture ensures complete data collection and secure transfer Counterpane integrates into its process the best-of-breed log management architecture. and keep on file a complete record of data for proof of compliance and forensics purposes.
Security regulations only exacerbate this problem. As a result. Counterpane is asked most frequently about SOX and HIPAA. An organization can be classified. Tracking this evidence is difficult and often error prone. 2006 . such as the ability to determine if an internal attack on an Oracle financial database has occurred. at this stage. What are the most pressing security issues and security regulations most customers face? Stage II: Ad Hoc Organizations often place themselves at this stage when they first consider the question. and specific activities and controls have been established. still must manage the changes in process between auditor visits. while not reliant upon individuals for carrying forth the compliance process from one audit to the next. The risk to the organization is potentially losing individuals carrying critical knowledge between auditor visits. The most pressing security issues generally stem from a lack of awareness. Inc. Sometimes. not only because the material that covers the topic is complex. organizations generally have some awareness of the risk and liabilities. since controls depend on individuals that are assigned to specialized functions such as Controller. Counterpane Internet Security. based on their understanding and preparedness. It is tremendously difficult to stay ahead of the changing security landscape. In working with enterprise organizations. from Stages I through V. nor is there an accepted standard for enforcement. but there is so much of it. A realtime monitoring capability with continuous improvement enables true enterprise-wide risk management. there are some things wellmeaning companies simply didn't know about. Accountant. or Legal Affairs. September. © 2006. standardized controls with periodic testing for continuous improvement and automated reporting to management ensure that regulators will see improvement whenever they visit. Stage I: Lack of Understanding Organizations have a lack of understanding of cyber security risk and liabilities. These days. the process and activities lack adequate documentation.Log Management for Improved Compliance & Risk Mitigation Page 8 Solution Ensures Best Practices for Compliance Counterpane’s solution incorporates policy and best practices framework as part of the process. as the exploration process unfolds. because there is little precedent to follow in terms of best practices for implementation. our objective is to move them towards Stage V. Stage III: Reactive Only At this stage. These tools support control activities. but California's SB1386 as well as other standards and regulations are also of concern. Stage IV: Standardized Procedures Enterprises. organizations have some awareness of the disclosure process. However. their discoveries serve as a wake up call to officers and directors of the corporation that they may be personally at risk due to security breaches and that making investments in data privacy and protection process is a must. enable the enterprise to make rapid changes as necessary to protect sensitive data. Stage V: Real-Time Monitored Processes and Enterprise-wide Risk Management At this stage. This framework – Stages of ProtectionTM – has been designed to show enterprise organizations (and regulators) where they are today with respect to their understanding of cyber security risks and preparedness to defend against cyber threats. and ensure that officers and directors are aware of what is happening in the organization. Forensics that determine the extent to which a breach constitutes a reportable violation are still limited.
10. HIPAA. pass audits easier • Early problem identification Failed logins Exiting programs too often Traffic volume exceeded by a specified threshold Machine learning & statistical anomaly detection alerts for adaptive baseline.000 custom reports to meet requirements set forth by regulatory laws like SOX. Counterpane’s Log Management benefits customers by offering them simplified correlation. 9. The solution’s unique features provide enterprises with the following advantages: • Improved compliance 24x7 Monitoring 24x7 Incident response Unaltered log retention Chain of custody to demonstrate evidence of data integrity Demonstrable evidence of reviewing user access to programs and data Brand name recognition of Counterpane makes auditors comfortable. The Counterpane Advantage Offered as a managed service. 5. COSO and ISO17799. Inc. 7.Log Management for Improved Compliance & Risk Mitigation Page 9 Stages of Protection ISO 17799 Best Practice Categories 1. message volume. working process generally understood throughout the organization. and more effectively mitigate network security incidents. 8. Source: Counterpane Internet Security. 4. Security Policy Organizational Security Asset Classification and Control Personnel Physical and Environmental Security Communications and Operations Management Access Control System Development and Maintenance Business Continuity Management Compliance Quarterly Results on Portal Stages of Protection Ratings – High Level Stage I Stage II Stage III Stage IV Stage V Cyber security risks and liabilities not well understood. analysis and reporting. incident response times and standardized reporting on vulnerabilities and threats. Counterpane Internet Security. September. with up to 13. A cyber security program is exists but is highly dependent upon IT security individuals for its perpetuation. 2. Inc. 2006 . 3. network policy and more © 2006. Cyber security risks and liabilities understood but the cyber security program is ad hoc only and purely reactive. 6. The cyber security process is measured by the organization in terms of the human and technology costs. The cyber security program is a cross-functional.
Log Management for Improved Compliance & Risk Mitigation Page 10 • Economies of scale ALL logs collected centrally Subset of critical devices monitored 24x7 Alerts customer on non-monitored devices Customer gets alerts across entire environment without high costs Immediate ROI Eliminates manual tasks and human error Speeds time to remediation. Inc. Counterpane Internet Security. cutting downtime Reduces time spent on compliance Reduces administration and labor costs Frees up valuable IT resources for other mission-critical tasks • © 2006. 2006 . September.
It simply calls for 1. Counterpane recommends that an enterprise’s Internal Control Report address the following specific areas while demonstrating how these requirements will be met by Log Management: SOX 404 stats: Demonstrate “adequate internal control structure” and perform annual assessment of those controls SOX 404 Requirements Access & Authentication Controls Audit Logging Configurations Backup Strategy Data Integrity Retention Policies for Data/Log Email Security/ Policy Enforcement Monitoring/ Incident Response Vulnerability Scanning Third-Party Audits Counterpane Service Options Managed Security Monitoring/Reporting Identity Management Managed Security Monitoring/Reporting Security Consulting Managed Security Monitoring/Reporting Managed Security Monitoring/Reporting Log Management Anti-Virus. An internal control report 2. September. 2006 . Assessment of the effectiveness of the internal control structure and procedures In the absence of specific requirements. Counterpane Internet Security. Inc. Anti-Spam/Email Content Control/Web URL Filtering/Web AntiVirus & Anti-Spyware /Email Archiving Managed Security Monitoring/Reporting Vulnerability Scanning Security Consulting © 2006.Log Management for Improved Compliance & Risk Mitigation Page 11 Sarbanes-Oxley: Example of a Business Challenge Section 404 of the Sarbanes-Oxley Act of 2002 is directional rather than specific. Adequate internal control structure 3.
the foundation of Counterpane's services. global IT security threats. correlate and evaluate an unparalleled volume of information. and HIPAA.counterpane. and correlated across Counterpane’s entire customer base. visit www.com © 2006. Counterpane is The Managed Security Company. Leveraging our experienced professionals and state-of-the-art security solutions. As the authority on enterprise security. Supporting over 550 networks with global visibility in 38 countries. For more information. Director of Marketing Toby Weir-Jones.counterpane. and protection from financial loss. please contact Counterpane’s Managed Security Specialists. CTO Anna Luo. and analyzes data from devices on customer networks. For more information. The Counterpane Process collects. Inc. This data is continually forwarded to Counterpane’s distributed Security Operation Centers. Analysts use sophisticated tools to evaluate and resolve each problem ticket or collection of alerts. where data is examines for suspicious patterns. sorts. 2006 . Web Portal provides a window into network activity for real-time forensics analysis. Call Us: 888-710-8175 Email Us: firstname.lastname@example.org. GLBA. and response to. Director of Product Management About Counterpane Counterpane’s Enterprise Protection Suite is a modular suite of security services enhanced by core realtime Managed Security Monitoring. Security Operation Centers (SOCs) are physically separated and fully redundant facilities where incoming alerts are captured and stored in a database and synchronized across to other SOCs. and audit reporting for compliance with regulations such as Sarbanes-Oxley. this service protects in real time against suspicious attacks. dynamic report generation.com Visit Our Website: www. Monitoring over 550 networks worldwide to gather. network tuning. improved compliance. correlates. Counterpane's Managed Security Services ensure customers' business continuity. September. Bruce Schneier. Counterpane Internet Security. we give our customers the industry's broadest real-time view of.Log Management for Improved Compliance & Risk Mitigation Page 12 Document Contributors Counterpane Internet Security. Inc. Counterpane delivers comprehensive protection and real economies of scale and efficiencies of cost.