Instant Poll: What works best when justifying security spending in your organization?

You are only ONE CLICK away from seeing what your peers are saying. 

Click on one of the choices below to see INSTANT results.

Posted by Dominique Levin on June 30, 2009 in Log Management & Intelligence , Security | Permalink | | TrackBack (0)

Security Management and Log Management are not as mature as you think

According to Gartner, Security Information and Event Management has reached the "plateau of productivity" which means that the solution is now being bought by "mainstream" customers.  This has led some customers to lament that "all vendors sound the same".

However, don't be fooled by the "mainstream" label and the apparent similarity of vendors.  A lot of innovation is still possible and required in the Security Management and Log Management market.  In fact, somebody at the Gartner IT Security Summit asked me: "how many people are actually happy with their existing security management solutions"?  Anecdotally we know that many customers are on their second or third attempt at security management and some of the maturity challenges have been well documented, such as in a recent blog by Adrian Lane and Mike Rothman, who said (paraphrased):

"the Security Information and Event Management space has struggled over the last decade because the platforms were too expensive, too hard to implement, and (paraphrasing) did not scale well without investing a pound of flesh".

The exact answer comes from Derek Brink from Aberdeen who did a great benchmark study recently.  You can watch him present his study here.

Only "best in class" vendors, which is 20% of the total population, actually achieves a positive gain in a reduction of the number of incidents, the number of audit deficiencies and the total management costs related to leveraging security logs, information and events.

 

 

Derek's study also highlights specific product deficiencies:

Most notably, the complexity of security management and log management solutions is a major inhibitor of adoption.  This finding is consistent with the "crossing the chasm" theory, which states that "mainstream" adopters are looking for ease of use and integration first.  I

If you want to find out a quantitative score of security management and log management vendors in "Deployment and Support Simplicity" check out the Gartner Critical Capabilities Study here.

 

 

In addition to ease of deployment and ease of use, there are some other product areas that still require significant innovation. Even "best in class" customers (creating an opportunity for vendors), lag when it comes to:

1) Automate remediation

2) Correlate data

3) Normalize data

4) Analyze data

5) Prioritize incidents

Make sure to ask your vendor about their planned roadmap and innovation in each of these areas before making a purchasing decision!

Posted by Dominique Levin on June 30, 2009 in | Permalink | | TrackBack (0)

What is the Difference Between Database Activity Monitoring and Database Security Management?

So a while ago we launched our Database Activity Monitoring product.  Only it is called Database Security Manager (see a screencast here), which leads me to discuss the difference between "monitoring" and "management".

Database activity monitoring is the common label for point solutions that aim to monitor privileged user activity on database management systems.  There are various approaches, but all aim to offer an alternative to monitoring through native audit (also called native logs).  The most popular approach - if you believe Mark Nicollet from Gartner (listen here) - is to use a host-based agent.  Our agent derives database activity by monitoring the requests sent to shared memory. 

Most host-based database security agents can do a lot more than "monitoring". For example, host-based agents can block/interrupt requests that meet certain criteria (such as requests from a certain origin, accessing a certain object, using a particular protocol, etc.).  It just didn't seem right to still refer to this new technology as "activity monitoring".  It is so much more!  As an industry, we have truly crossed a chasm and have not just turned data (shared memory requests) into actionable information (privileged user activity) but we are finally able to act and prevent security breaches from happening!

Posted by Dominique Levin on June 29, 2009 in | Permalink | | TrackBack (0)

Five Good Reasons for a new Paradigm in Database Activity Monitoring

LogLogic has expanded into the Database Security market: you can see a screencast of LogLogic Database Security Manager here.  LogLogic has offered the ability to collect, store and analyze native database logs for years (via our standard log management platforms), so what's new?  Here are five good reasons for customers to implement a specialized database security product and to integrate this with your a broader log management solution:

1) Databases are so important they require specialized attention

2) Any successful breach of a database is very bad news (expensive)

3) Databases are especially vulnerable to attacks

4) Native logging for databases can be a bad idea

5) Database security point solutions are incomplete

Databases are so important they require specialized attention

Companies globally spend in excess of twenty billion dollars each year on their database infrastructure and thus it is wise to spend 5-10% of such investment to manage and protect your investment.  Databases also house the most valuable information in your business: customer data, transaction records, patient information, etc.  Databases are mission critical and power your front-line, revenue generating applications - such as claims processing, credit card transactions or trading systems. 

Any successful breach of a database is very bad news (expensive)

Databases are the one-stop shop for valuable information.  If you lose a laptop, the information may be abused (or thiefs wipe the laptop clean and sells the gear).  Even if the information falls in the wrong hands, there are likely only a small number of records stored on the laptop.  However, all records are available in the database and if somebody attacks and penetrates your database, it is virtually certain there is ill will.  It is good business for organized crime.  Each customer record is worth $200 and the average database attack costs $6 million (the Ponemon Institute).

Databases are especially vulnerable to attacks

Many database administrators do not apply the latest security patch in a timely fashion.  In order to apply a patch, it has to be tested with all applications accessing the database and the database has to be taken off-line in order to apply the patch.  Downtime for a critical business application is expensive so security is compromised in exchange for availability.

Native logging for databases can be a bad idea

For databases, performance is everything.  More transactions means more top-line.  Therefore, many database administrators refuse to turn on native audit logs.  Databases tend to be IO bound and writing a log for every transaction can deteriorate database performance by as much as 20%.  There are also some attack patterns that are hard to detect from native logs - such as those that make use of triggers, stored procedures and such.

Database security point solutions are incomplete

For all the reasons above, dedicated security point solutions emerged to offer an alternative to native audit.  Some of these are based on sniffing network traffic, but most use a host-based agent.  Only a host-based agent can see all database activity including local access and encrypted queries.  However, database activity is best analyzed in the context of all other activities by a particular user (or system) - such as VPN access, application activity, and e-mail traffic for example.  You can achieve such contextual analysis by integrating your database security product with a broader log management solution.

In a recent video-interview, Mark Nicollet from Gartner recommends that customers should consider buying Database Activity Monitoring and Log Management/Security Information and Event Management from the same vendor.  He also talks about the drivers for Database Security technology in general and about the benefits of a host-based approach to Database Activity Monitoring.  You can watch his interview here.

Posted by Dominique Levin on June 24, 2009 in | Permalink | | TrackBack (0)

The world of worms, smart grids and privacy

  By Sudha Iyer

As a 21^st century civilization, we detected and alerted the presence of the Influenza A virus and its various strains such as H1N1, H1N2, H3N1, H3N2, and H2N3 to the planet at large in almost real time. In order to prepare for pandemics or epidemics such as these, I don’t believe we were asked to sacrifice our privacy …instead we were asked to reduce our connectivity i.e., limit exposure in public situations.

Why then in the world of technology, specifically in the world of “Utility and Energy” sector, would we put the technology cart before the security and privacy horse?

The United States Department of Energy has been working the Smart Grid concept, design and implementation for a while now. On 18 May 2009, we heard about the set of sixteen standards for the smart grid being a national priority to gain energy independence, job creation and lowering the consumer costs for electricity consumption. Clearly, it is a huge undertaking and involves consistent focus and application of our collective effort to succeed. However, looking through a security lens, it continues to amaze me that energy sector’s CIA pyramid continues to be inverted – i.e, Availability is the most important mission and Confidentiality is the least important. Shouldn’t confidentiality be at the top of the pyramid now that electric grid breach has been well covered in the media? Some of the issues are

- There are more layers from the location of power generator to the end consumer… how is the information protected across the different supply/chain points? Security is only as strong as the weakest link …

- At the end consumer location, how do I ensure that only “authorized” people are able to read my power consumption?

- The SmartMeter program provides access to the “consumer’s” power consumption habits with web based access to the accounts in the hopes that looking at the pattern of consumption will help consumers gain control of its use. I guess this is a page out of the online statement access provided by the financial services to allow us to gain control over our spending habits. However, what certifications and standards are the authentication, access control and audit services of these systems subject to?

The utility and energy sector companies are subject to compliance with the North American Electric Regulatory Committee (NERC) standards. The protection of the infrastructure is not limited to SCADA systems or the corporate environment or the substation. In reality, we would expect it to be a mix of systems across these boundaries.

But somehow I do not expect the SmartMeter in my home to be part of the CIP program.

The SmartMeter is likely out of scope for the PCI and SOX audits these companies may be subject to as they do not include credit card information or financial data. However, the surface area of the energy infrastructure could get bigger with the installation of these devices (http://www.privacydigest.com/2009/03/23/electric+power+grid+smart+grid+may+be+vulnerable+hackers).

Is consumer education the only answer to ensuring that the SmartMeters are not infected with viruses, worms, unauthorized access and privacy violations? Making the consumer responsible for his choices is a great idea but, this technology is complex. Until the technology and protocols are developed by NIST and EPRI to ensure security is built-in, remember, Caveat emptor!

Posted by LogLogic on May 28, 2009 in | Permalink | | TrackBack (0)

A Solution To The Problem

By: Dimitri McKay

When I started with LogLogic, nearly four years ago, I worked in the support group. Day by day I spoke to new and existing customers about their appliances, how to tailor the software, how to hone the tool to their needs and their networks. The questions were often the same, and one question which was repeated over and over went something like this:
“Hi. I’m a new customer, and we have the appliances up and running, and all of the log data on our network being sent to LogLogic. Now what?”
“Now what”, indeed.
This new customer had everything up and running, but didn’t know what to report on, what to alert on, what to search for. And this made sense. I work in log management full time, and I’m unable to remember which PIX message is created when there is a policy update or what log is created when PIX time server updates fail. I’m not Rain Man. How could I expect the average new customer to know what messages meant what. Each customer would have to re-invent the wheel, doing the task of searching for what events caused what messages on what devices. They would have to go through all of the controls of a compliance requirement and figure out how to map a control back to a set of reports and alerts. What a pain!
Unfortunately, the only answer I could give at that time was “It depends.”
I didn’t know what reason the customer had acquired LogLogic. Was it for Operations? Was it for Forensics? Was it for Compliance? And if so, what specific requirement? PCI? SOX? ITIL? ISO? HIPAA? COBIT?
Each of these compliance mandates carried their own list of controls and required actions. For example, the COBIT framework specifically recommends using log data to review what users do with access rights and privileges and to monitor log data to detect anomalous activities.  Well, for that we’re talking about a specific set of devices.
The Payment Card Industry (PCI DSS) security standards requires log data to be reviewed daily and to be archived online for one year. This is a different scope of devices to monitor and actions to accomplish.
The latest version of ITIL, version 3, recommends log data for problem isolation and user activity monitoring in conjunction with identity management. You see where this is going. Not all shoes fit on all feet.
Now, however, In each of these situations, LogLogic offers an answer to each question. Whether complying to PCI, to SOX to ISO or even ITIL, there is a suite to fit the need. As a Field Systems Engineer, when customers have a rock in their shoe, a thorn in their side, or a problem which needs a solution, we have an answer for them. We have a suite of alerts, of reports and of search filters to help them hit the ground running and find a path to unleashing that log power in as short a period of time as possible.
We have the answer to the question “now what?”.

Posted by Dominique Levin on May 27, 2009 in | Permalink | | TrackBack (0)

Get Ready! New Cybersecurity Standard For American Businesses.

By Dominique Levin
VP Marketing and Strategy

The Cybersecurity Act proposes to give the President capabilities to “shut down the Internet”. While this got a lot of public attention (and outrage), the more significant part of the Act is the effort to create a “minimum bar” for security in a broad range of industries, including the Federal Government and “critical infrastructure” such as telecommunications, energy, financial services, transportation and healthcare. Such new security standard could have even greater consequences than the already widely adopted Payment Credit Card Industry Data Security Standard. This blog examines what the Cybersecurity standard could look like and what it would mean for American business.

The Cybersecurity Act would require the National Institute of Standards and Technology to develop cybersecurity standards for government, contractors and operators of the systems that control the nation's critical infrastructure. A newly created acquisitions board would certify that products the federal government purchased meet security standards, and regional cybersecurity centers would be set up to support small- and medium-size businesses complying with the standards.

From the draft act:

SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.

(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks in the following areas:

…

(2) SECURITY CONTROLS- The Institute shall establish standards for continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks.

…

Other areas for research and standards development by NIST include security metrics, software security and software configuration.

"The market has failed by definition and thus public policy is necessitated," said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team. "Hopefully, the private sector will comprehend that legislation like this creates long-term comparative advantage for American industry and subsequent technological sustainability."

A complementary bill is also circulating: the ICE (Information and Communications Enhancement) Act (print here) replaces the 2008 Federal Information Security Management Act, a rewrite of the 2002 law that the Senate never voted on. Presumably the ICE Act will not only take guidance from the current National Institute of Standards and Technology standards, but also look to a list of “Top 20 Security Controls”.

Many in the security industry believe that so far NIST has been too focused on security configuration, rather than on controls that truly prevent attacks. Alan Paller director of research at the SANS Institute and other security professionals argue that the approach is little more than a paper-pushing exercise and doesn't secure systems from known threats. Instead the SANS Institute is pushing (and appears to be getting some traction) with their own “Consensus Audit Guidelines” – a list of twenty relatively inexpensive controls every business should implement to prevent attacks.

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance

The SANS Institute

http://www.sans.org/cag/print.php

• Critical Control 1: Inventory of authorized and unauthorized hardware.
• Critical Control 2: Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
• Critical Control 3: Secure configurations for hardware and software on laptops, workstations, and servers.
• Critical Control 4: Secure configurations of network devices such as firewalls, routers, and switches.
• Critical Control 5: Boundary Defense
• Critical Control 6: Maintenance, Monitoring and Analysis of Complete Audit Logs
• Critical Control 7: Application Software Security
• Critical Control 8: Controlled Use of Administrative Privileges
• Critical Control 9: Controlled Access Based On Need to Know
• Critical Control 10: Continuous Vulnerability Testing and Remediation
• Critical Control 11: Dormant Account Monitoring and Control
• Critical Control 12: Anti-Malware Defenses
• Critical Control 13: Limitation and Control of Ports, Protocols and Services
• Critical Control 14: Wireless Device Control
• Critical Control 15: Data Leakage Protection
• Critical Control 16: Secure Network Engineering
• Critical Control 17: Red Team Exercises
• Critical Control 18: Incident Response Capability
• Critical Control 19: Data Recovery Capability
• Critical Control 20: Security Skills Assessment and Appropriate Training To Fill Gaps

The bills "could do more to improve cybersecurity than any action in the last decade," said Jim Lewis, director and senior fellow for the technology and public policy program at the Center for Strategic and International Studies.

"This looks like the game-changer -- or at least the conversation-changer," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research group based in Bethesda, Md. "Its reach is far greater than any cyber bill I have ever seen, extending deep into corporate America."

Having a government endorsed “minimum bar” for security that applies to a broad range of industries would definitely be a positive for the security industry and for American businesses. The bill could make it a lot easier for executives in business to get approval for investments in security. Additionally, security is only as strong as the weakest link in the chain, so any initiative that can raise the bar is a good thing.

Posted by Dominique Levin on May 05, 2009 in | Permalink | | TrackBack (0)

Cybersecurity: How Far Should The Government Go To Protect Cyberspace?

By Dominique Levin
VP Marketing & Strategy

The debate between the privacy rights of individuals and the information protection of the public rages not only in private enterprises, but also at the national level: how far should the government go to protect cyberspace? There are several bills currently being circulated. The two primary initiatives are the 2009 Cybersecurity Act, introduced on April 1, 2009 by Senator Olympia Snowe (R, ME) and Senator Jay Rockefeller (D, WV) and the ICE (Information and Communications Enhancement) Act (print here) introduced into the Senate on April 28, 2009 by Senator Thomas Carper (D-Del.).

Much of the public commentary on these initiatives seems to be negative, expressing concerns about privacy or free-market principles. Twitter was full of quotes about the Cybersecurity Act’s proposal to give the president powers to “shut down the Internet”.

Jennifer Granick of the Electronic Frontier Foundation laments that the language in the second excerpt would give the Commerce Department “absolute, non-emergency access to ‘all relevant data’ without any privacy safeguards like standards or judicial review.”

Others are opposed because of the impact on competitive, free-market enterprise: “Some see the Act as indicative of sweeping changes toward government regulation of private entities and worry that unintended consequences of these changes could impact competitive, free-market enterprise”.

Of course there are those, who strongly support the initiatives:

Senator Olympia Snowe [R, ME]. says of the cybersecurity act: “If we fail to take swift action, we, regrettably, risk a cyber-Katrina.”

Alan Paller, director of research at the SANS Institute, appearing before the Senate Homeland Security and Governmental Affairs Committee on Tuesday, called the federal government's cybersecurity defenses "childlike," and the work accomplished under FISMA "embarrassing."

It is shocking however that not much has been written about exactly how much is at stake when it comes to cybersecurity. This is surprising because the Department of Defense, intelligence community and other agencies agree that cybersecurity is one of the greatest security challenges the US faces today. In fact, the language of a 96-page report on Cyberspace: “Securing Cyberspace for the 44th Presidency”, a report of the

CSIS Commission on Cybersecurity for the 44th Presidency published in December 2008, uses very strong language to describe the threats:

“The enemy: foreign intelligence agencies, militaries, criminals – the most dangerous opponents are militaries and intelligence services of other nations. They are sophisticated, well resourced and persistent. Their intentions are clear and their successes are noticable”

“Secure cyberspace for the free exchange of ideas and commerce and to protect critical national assets from damage or attack (both infrastructure and information)”

“Depriving Americans of electricity, communications and financial services may not be enough to provide the margin of victory in conflict, but it could damage our ability to respond and our will to resist”

“Cyberspace is a central element for many companies’ business plans – how they manage their supply chains and their internal services and how they work with their customers”

“Damage from cyber attacks is real: in 2007 the Department of Defense, State, Homeland Security, Commerce, NASA, National Defense University all suffered major intrusions by unknown foreign entities – the Department of State lost terabytes of information”

“The US is losing the cybersecurity battle”

The report also warns that in the cyberwar, the US is currently playing the part of the Germans in World War II, who relied on their Enigma encryption system, but suffered a significant competitive blow when such system was cracked by the British Ultra.

Being a native Dutch-woman, I am also reminded of the Battle of The Netherlands, also in World War II, for a history lesson. There are parallels between the lack of preparation of the Dutch to resist the German invasion and the American apparent reluctance to ‘arm’ itself for cyberwar:

The Battle of The Netherlands lasted five days, and the Nazi German occupation that followed lasted five years, during which over 250,000 Dutchmen died, before the country was liberated. That was 2.5% of the population, equivalent to 7.5 million Americans. Just like in America today - in the Netherlands all the conditions were present for a successful defense: a dense population, wealthy, young, disciplined and well-educated; a geography favoring the defender and a strong technological and industrial basis including some armaments industry. However, these had not been exploited: the Dutch had not expanded their military equipment since before the First World War. On the one hand there was the modern German army, with tanks and dive bombers and on the other hand the Dutch army, with only 39 (!) armoured cars and 5 (!?) tankettes, and an airforce for a large part consisting of biplanes. Partly this was based on the desire not to antagonize its major trading partner (Germany), partly betting on a policy of neutrality and partly made inevitable by a policy of strict budgetary limits during the Great Depression (see the parallels?).

Back to the report “Securing Cyberspace for the 44th Presidency”:

“To meet this new threat we have relied on industrial-age government and industrial-age defense”

“The organization of the federal government, especially how agencies exchange information, dates from the 1930s or earlier and is part of the reason that we are vulnerable”.

The bottom line: the threat to our cybersecurity is a strategic issue on par with weapons of mass destruction and global jihad, where the federal government bears the primary responsibility. A failure to act decisively and to be overly concerned with citizen’s false sense of privacy, could lead to a much greater threat to our democratic traditions and citizen’s rights.

A final quote from “Securing Cyberspace for the 44th Presidency”:

“In cyberspace the war has begun”

“The evidence is both compelling and overwhelming”

Posted by Dominique Levin on May 01, 2009 in | Permalink | | TrackBack (0)

User Monitoring: Sacrificing the privacy of few to protect the information of many?

Or: How far should IT managers go to protect corporate data?

By: Dominique Levin
VP Marketing & Strategy

A conflict is brewing in corporate America that rivals the ethical debate between philosophers such as Immanuel Kant (footnote a) and James Stewart Mill (footnote b). How far can companies go to protect data? Can companies play “Big Brother”, violate employee privacy and monitor employees in order to protect data? What if the act of violating employee privacy actually protects the privacy of many more? For example, what if monitoring nurses protects the privacy of patients’ healthcare records?

Immanuel Kant might have said that ethics are absolute and you cannot violate the privacy of employees, even if monitoring of employees would result in ‘greater good’. James Stewart Mill on the other hand might have chosen the ‘greater good’ and sacrificed the privacy of few, consenting, employees (you can always go work somewhere else) to protect the privacy of many.

In a April 28, 2009 Network World article, appropriately titled “Can you no longer avoid closely monitoring employees?” one IT manager speaks openly about the delicate balance of real-world information protection. "There's a balance," says Max Reissmueller, senior manager of IT operations and infrastructure at Pioneer Electronics USA Inc. in Long Beach, Calif. "I wouldn't want managers coming to me to keep an eye on a particular employee, wondering what they are doing every minute." At the same time, Pioneer is determined to protect its intellectual property, customer-service lists and other sensitive data." I don't want a disgruntled employee trying to take a bunch of information," Reissmueller says.

Gartner Inc. analyst John Pescatore agrees and says the key word to think about is how "closely" to monitor employees. In other words, it’s not about watching every employee’s every move, but it is fair to protect an organization’s crown jewels, and it is perhaps even mandatory to protect the personally identifiable information entrusted to an organization by its customers.

Sarah Cortes is a former senior security executive at a financial services firm with $500 billion in assets under management and over 20,000 employees. In her blog “Database logging and privileged access control” of April 21, 2009 she recounts that each morning, she would take responsibility for reviewing lists of accounts with privileged access to high-risk data. This means reviewing the lists of people with access to “High Risk” data such as customer balances and account values.

She reminds us that ship captains have long started their days by initialing log entries.

If the task of reviewing lists of privileged users and their access patterns sounds daunting, then perhaps you have given too many people access to sensitive information. Sarah has some very simple rules of thumb:

Even at an enormous firm, the number of privileged IDs with access to high-risk data should be short enough for a busy executive to personally review

The number of people with write access to “High Risk” data should be between zero and three and you should know those people by name very well

It is both feasible and reasonable for senior executives to personally review this information and record that they have done so

There are no specific standards or frameworks telling you how to create these reports Sarah is talking about or what to include. Regulatory frameworks indicate only that this type of review in general should be defined by each organization and put into place. Whether it is daily, weekly, or monthly, and what exactly it includes, will be up to each organization, compliance officer and CISO, depending on its businesses and risks.

Here are some general considerations for specifying these reports:

1) Define “High Risk” information for your organization. Start small by defining only the most sensitive information.

2) Identify the “Data Owner” for each category of “High Risk” information. The data owner is the executive who will review the lists of privileged users and their actions.

3) Locate database tables and directories with “High Risk” data. This is more difficult than it sounds, but new technologies make it easier.

4) Audit user accounts with access rights to this data. Who should have access to “High Risk” data? You may want to reduce the list to a manageable number. Also, you probably want to generate a report specifically showing any new privileged account creations and privilege modifications to ensure these are authorized.

5) Audit access to database tables and directories with “High Risk” data. Create automated daily reports to be sent to the Data Owner. Individuals accessing the system should be aware that access is monitored and reports are reviewed. Ideally, individuals who access controlled systems should not have access to update or modify the scripts and/or software the produces the security reports.

6) Include all changes to “audit” status. Don’t forget to also generate a report that will tell you whether in the prior 24 hours audit logging was turned on or off.

Foot notes:

(a) Kantian Ethics. Immanuel Kant encouraged choosing the right, moral path regardless of the consequences. Even in circumstances that would render negative consequences as a result of pure intentions, Kant argues that one should adhere to pure intentions and that their maxims should always reflect those intentions.

(b) John Stewart Mill’s Utilitarianism. Stripped down to its essentials, utilitarianism is a moral principle that holds that the morally right course of action in any situation is the one that produces the greatest balance of benefits over harms for everyone affected.

Posted by Dominique Levin on April 29, 2009 in | Permalink | | TrackBack (0)

LogLogic Buys Exaprotect: 3 Reasons Why Customers Win.

By Dominique Levin
VP Marketing & Strategy

Last week LogLogic announced its intend to acquire Exaprotect. In February we had already announced a partnership with Exaprotect to deliver the LogLogic Security Event Manager. In February we also announced LogLogic Compliance Manager, which has since shipped to the general public, and LogLogic Database Security Manager, generally available later this quarter. Now we have added the Exaprotect Change Manager product line. In a mere couple of months LogLogic went from a singularly focused company with leading log management platforms to having five product lines working together to form the most complete security management suite.

So how does this all benefit customers?  The combined product portfolio answers 3 simple questions for customers:

What is happening?

What is important?

What to do about it?

1. What is happening? Log Management and Database Activity Monitoring.

It all starts and ends with log data. You cannot secure or manage what you cannot see. Therefore, first focus on building a central repository of user and system activity. You do this through aggregating, summarizing and archiving log data. Log data can tell you who are accessing your network, systems and even who are seeing, changing or moving individual information objects. Per a recent SANS survey, 99 percent of customers are collecting (or planning to collect in the next year) some log data but for many it is work in progress. Virtually all collect network data (“who is accessing my network?”) and most collect system-level data (“who is accessing my systems?”). For most companies even collecting a complete activity record remains a work in progress. Leading-edge organizations are now turning their attention to understanding activities around business applications, transactions and monitoring access to specific sensitive information objects. This is particularly true for structured information in databases. Databases are a one-stop shop for valuable data. Organized criminals are targeting sensitive data in databases to sell for $300 per record. Since the data is structured, you know where it resides and you can monitor access to these specific records. LogLogic expanded into database activity monitoring with a specialized database sensor. The sensor sees more than you would through native logs, including activities that are triggered by stored procedures, obfuscated queries and such. This is great as a stand alone product, but at the end of the day, database activity should be analyzed in context with all other activity data – hence the convergence of log management and database activity monitoring.

2. What is important? Compliance management and security event management.

Just having the data on a pile is of course not enough. Once you have a central record of activity, you need look at this information. Few organizations are proactive about this. LogLogic compliance management and security event management applications can help. LogLogic Compliance Manager is about deciding who should be looking at what log data when and then enforcing such log review process through software. Compliance is a collaborative process and Compliance Manager facilitates collaboration on pro-active security. It productizes best practices, presents reviewers with an easy in-box of log review tasks and the ability to annotate and score activities. Ultimately the log review scores roll up into a dashboard that presents executives with the overall timeliness of review and a compliance score. It is still human beings who do the bulk of the actual analysis. LogLogic Security Event Manager goes one step further and uses cross-device correlation and contextual analysis with vulnerability and asset data to prioritize suspicious activities automatically. For example, access to a HR database followed by a large e-mail sent, could be suspicious and needs to be investigated immediately.

3. What to do about it? Change management and database security.

Contextual analysis of log data is cool and it can go a long way turning raw log data into actionable information and even into recommendations. However, security Nirvana would be self healing. Increasingly software could make automated recommendations and predictions about unusual and suspicious activities and could prevent bad things from happening in the first place. LogLogic Change Manager and the LogLogic Database Security agent both have the ability to enforce security policies. Most customers aren’t quite ready to automatically re-configure a firewall policy based on a security alert, but at some point in the future as predictions become more accurate, automatic remediation will become a reality. One area where automated prevention is a reality is in database security. About 20% of database security customers also turn on active blocking. It makes sense that blocking would be more prevalent with systems that can do fine-grain monitoring. It is tricky to kick somebody off the network wholesale based on a security alert. There are still too many false positives. If you get it wrong you seriously hurt productivity. That is not a good thing ever, but especially not in an economic downturn. Most organizations prioritize productivity over security. It is much more acceptable however, to block access to a specific piece of information based on suspicious activity.

In summary, with the addition of Exaprotect, LogLogic can better protection information at a lower cost. This is good news at a time that few customers can afford to maintain the staff and budgets to integrate many disparate point products.  Unified security management also leads to better information protection. Pro-active security monitoring (LogLogic Security Event Manager and LogLogic Compliance Manager), combined with fine grain monitoring (LogLogic Database Security Manager) leads to more accurate prevention (LogLogic Change Manager and LogLogic Database Security Manager) and better information protection.

Posted by Dominique Levin on April 27, 2009 in Compliance , Log Management & Intelligence , LogLogic News , Security | Permalink | | TrackBack (0)

Visit loglogic.com

Subscribe to this blog’s feed

• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• Bruce Schneier
• CynergisTek
• InfoSecDaily

Compliance

• Compliance Pipeline
• Continuity Central
• Sarbanes-Oxley 101
• SOX Compliance Journal

Good Reading

• Log Management Best Practices
• Log Management ROI
• SANS Institute Log Management White Paper

LogLogic

• Anton Chuvakin
• Jian Zhen
• LogLogic.Com
• O’Reilly

LogLogic Partners

• Bluecoat
• Counterpane
• Juniper Networks
• ONStor

Sites We Watch

• C/Net
• CIO Insight
• CRN
• eWeek
• InformationWeek
• IT Architect
• IT Manager's Journal
• Jamie Lewis - Burton Group
• MIT Magazine
• SANS
• Security Focus
• Slashdot
• TechWeb
• The Merc
• The Reg
• VNU