Would it be too hokey to say that we're starting to see the emergence of Compliance TNG (The Next Generation, for non-Trekkies)? For the sake of this article, let's say that Compliance TNG is the emergence of internal and external guidelines and best practices that are concerned with security rather than just compliance success.
One approach to achieving compliance success has been to use SIEM and log management solutions to gather far-flung security data. If the goal is to demonstrate that security-event data is being captured and reported as specified, these tools may suffice. But if the goal is to continuously self-audit the security of the organization, IT managers in front of a SIEM will find they have a well-gathered haystack of data, but lack the needle of information. Some IT organizations have the resources and domain expertise to tease out that needle. Many do not.
Recent statistics bear this out. According to a log management research study issued by the SANS Institute in April, 2010, 35 percent of IT personnel surveyed named “searching through data” as the most challenging aspect of log management. The second most challenging aspect cited was analyzing and interpreting results.
This gets at the root of the Compliance TNG challenge: how to become audit oriented, not just compliance oriented. Streams of events with no flow control, filtering or context paralyzes an organization's ability to respond to truly critical events. Continuous auditing for the sake of true improvement requires the ability to reduce the fire hose of all data to the drinking fountain of probably important insecurities. What's needed is contextual awareness – the ability to filter and present information based on business context.
If we want to become self-auditing, we need to have the following contextual information integrated into our information flow: domain knowledge, relevant state information, and related activity history. If you don't have an expert in access-analyzing, access-related data, you will probably miss something. If you don't have facts – such as who has access to something or what person X has access to or what policy controls are in place – you will probably miss something. And if you only get to see one activity or event at a time, you will often be misguided.
Finding the right solution
One of the main hurdles preventing organizations from implementing an effective self-audit process is the lack of automated tools that can gather contextual data from diverse sources and make this type of analysis routine rather than ad hoc. As a result, there are often gaps in the auditing process, which contribute to an unsecure environment and result in a lot of manual labor when an actual auditor shows up.
Today, IT may implement a tool to harvest event logs – the records produced by any piece of hardware or software to chronicle events. Implementing this type of tool is often offered as proof by the IT organization in an external audit that they met the standard of due care, even though little has been done to improve the security of the organization itself.
There are multiple ways in which system logs and event management fall short of being an ideal audit solution for an organization intent on self-improvement and governance:
- Systems administrators can typically alter event records. Therefore, the organization must still prove by some other means that the logs themselves have not been altered prior to or after collection in ways which obscure critical insecurities.
- SIEMs provide little of the domain expertise that is critical to evaluating events prior to presentation. Some easy rules and logic may be included in the various security disciplines. But the big SIEM technological challenge is the vastness of all data gathering and management, not analysis.
- SIEMs provide no state information. They cannot tell you anything about the perpetrator of an action – only that an event occurred.
- The output to a system's event log is defined by the vendor of the system in question. Since most system vendors view publishing to a log as a nominally necessary overhead, the information posted is frequently very generic, inconsistent across systems and often not helpful.
Other organizations have implemented audit utilities that have been developed to gather a single type of information to inform on a specific type of inquiry. For example, such a utility might pull rights information from a system and then provide a matrix of people and their access rights. Most of these tools do not attempt to provide either a consolidated view across the enterprise, or have no knowledge of other contextual data points, which limits their usefulness and comprehensiveness.
Flexibility enables continuous audit
The best access audit solutions are oriented around a set of best practices to gather and analyze data, which a flexible reporting capability can then render to handle common audit scenarios and diverse administrator interest and entitlements. Additionally, these best practices can be applied with different sensitivity to different resources, accounts or groups in order to achieve the ultimate goal – ensuring that everything that flows out from the solution is actionable. This capability also provides flexibility as goals change. Audits can be changed in an instant.
Nirvana for IT security is not limited to passing an audit – though on certain days it might feel like it. Nirvana is an organization being able to continuously audit itself and know that the audit has minimal cost to perform (it's automated), that all output from the audit is noteworthy (it's relevant) and that all output points to an obvious next step (it's actionable). This type of domain audit and governance solution exists and will positively affect an organization's bottom line by allowing IT to act only on those things which improve security. Businesses that respond to security events quickly and with flexibility can achieve significant cost savings and productivity gains.
David Rowe is the CEO of NetVision, a privately funded company providing compliance and control solutions for enterprise access auditing. He can be reached at firstname.lastname@example.org.