Compliance is vital for any enterprise not merely to adhere to various regulatory/industry frameworks but also to mitigate the risks attached to corporate IT assets. Enterprises failing to comply not only face penalties from the regulatory bodies but also risk losing respectability and trust. However, in recent times many enterprises fail to remain fully compliant at all times which has led to many security breaches. Case in point, the recent Heartland breach highlighted the fact that staying compliant is a full-time process and just staying within the boundaries of a given regulatory framework is not sufficient to secure your network(s). Enterprises therefore need to look beyond the applicable frameworks to achieve compliance, and one important way is to analyze and manage system, application and event logs to prevent such huge incidents.
Log management for Compliance requirements is an increasingly vital process for enterprises across verticals. There are several implications to having an ineffective log management process, both tangible and intangible.
Enterprises that analyze their log data efficiently can easily recognize the value and impact on their IT and overall operations. The insight gained by log analysis and reporting can help enterprises determine their existing security implementation, cut down on costs on extensive regulatory audits and recovery measures, if any. Up to date log data analysis provides insight into the health and accessibility of network(s), system and applications.
A strong log management solution that handles voluminous and variety of logs is a necessary tool for enterprises to maintain the integrity of all data.
Let’s look at a checklist to ensure log management is applied effectively to ensure compliance.
Make Log management a daily routine and not just to satisfy compliance requirements
If log management is not done only for the sake of meeting regulatory requirements then we can cover our bases much more effectively. It will take care of any overlapping frameworks and reduce the time to meet all regulatory requirements. This will also cover any condition that is overlooked in the impression that another regulatory requirement covers it. Reports and alerts ensure that the security threat posed is brought to your attention, including those beyond the scope of regulatory compliance.
Ensure alerts are set up as per the requirements of the enterprise
Ensure all alerts are set up correctly and for the specific requirements of the enterprise and not just to meet compliance requirements. If any critical data is suspected to have been accessed by an unauthorized user it must be alerted instead of ignoring it if it doesn’t meet a specific regulatory requirement. The alert set up must be reviewed and reassessed periodically.
Review reports regularly to identify any gaps in the set up and regulatory requirements.
All reports must be checked not just for the expected data but also for any anomalies in them. Reports must be maintained also for what doesn’t meet the requirements and reviewed frequently.
Conduct periodic tests to determine the effectiveness of the set up.
The network must be tested for effectiveness and efficiency in managing and analyzing logs in order to ensure that compliance requirements are met appropriately. A robust log management solution is a vital key towards staying compliant. The test must also be highlighted and validated by the system.
Have a representative from the legal department to check if all regulatory requirements are understood and met by the IT department.
Not all regulatory requirements are easy to comprehend and hence might be misunderstood by those defining the IT compliance requirements. This is a pitfall that must be avoided hence all legal aspects must be simplified.
Have a consistent approach to managing and analyzing the logs.
Make sure there are defined set of rules on how logs must be managed and analyzed. This must be dependent on the enterprise and not on the authorized personnel. If any change in authority takes place the set of rules for log handling mustn’t be changed as this can lead to loss of log data.
Check for unauthorized programs installed by users within the network.
Most breaches are caused due to malicious code planted in the network through unauthorized programs. Users are mostly unaware of the potential threat in installing seemingly harmless programs. A log management solution can help detect such unauthorized programs and alert the administrator before any harm is done.
Give access to unauthorized users to view, edit and delete any information.
Access to the network must be strictly monitored and only given to authorized members. Data should be classified appropriately and access to them regulated and monitored. All unauthorized access must be alerted promptly by the log management solution.
Provision any Team/group access to any critical data.
No authorization must be provided on a team/group level as this is a greater exposure to risks and provide room for human error. Any changes made on one-on-one level will be lost if not communicated on team/group level.
Keep unnecessary ports open in the network.
All redundant ports must be closed in the network(s) in order to protect it from any malicious attack. Ports must be periodically reviewed to ensure only those required are accessible.
Run unused services in vital servers.
In order to keep the network(s) efficient and easy to manage all unused services must be stopped to avoid any conflict with essential services. Any redundant service poses a risk in interfering with the operation of critical resources, which will lead to failure of required processes.
This isn’t a comprehensive checklist of course but if you don’t have one, this might be a good place to start. Each enterprise needs to get started with log management with their customized set of checklists to ensure the enterprise IT network(s) is optimally secured. Merely being compliant isn’t enough; it also requires staying more vigilant and having stringent security measures in place.
In the era of increased data security threat from both outside and inside of your enterprise, you need to be proactive in your approach. On the government’s side, it wants to ensure the enterprise IT operations are regulated for the sake of data security of the citizens. In order to achieve this, government or the competent statutory authority issue regulations for the enterprises IT operations to be complied with. By complying the regulation, not only you are fulfilling the statutory requirements, you are also fortifying your enterprises security to the level acceptable to the external world.
Growing List of Compliance Regulations
One important point of concern is the growing number of Compliance Regulations issued by various statutory authorities. Already there are Sarbanes-Oxley Act (SOX), Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA). Further more there are California Senate Bill No. 1386, Federal Information Security Management Act (FISMA), and SCADA security best practices. Each regulatory compliance will be outlining its own separate set of reports which needs to be presented to the IT auditors. So how the small and medium enterprises with their limited IT budget will cope up with growing demand of regulatory compliance.
How to address the ensuing scenario
An ideal solution would be to generate customized set of reports for each compliance to be available as pre-built package. But customizing the set of reports will be time consuming and will be involving software developers with development time changes in the software application. This may not be desirable as every time a new regulation is introduced you have to carry out the exercise to comply with. What you can look out for is an application which allows you the flexibility of customization of the available set of reports to make ready for the new compliance. Further, you choose to fine tune or prune the set of reports meant for the existing regulatory compliance. Further more, you may feel that it will be nice to have the reports generated periodically without your intervention manually.
A solution in sight
AdventNet ManageEngine with its fore thought addresses your above stated problems. The EventLog Anayzer 5 allows you create a set of reports for a new compliance. This value added feature removes your burden of customizing the application every time you require reports for a new regulatory compliance. It takes no time and can be created by the System Administrator. Another feature of EventLog Anayzer 5 is to allow customization of the set of reports for the existing compliance report. This is another value addition that ensure that you submit only required reports and remove reports which are not required or add a new one which is required. You dodnot have to panic for minor changes in the regulations. What more, EventLog Anayzer 5 allows you to schdule the compliance report generation automatically at periodic interval. You can sit back and relax. The EventLog Anayzer 5 comes packed with a lot more features. Get the details here.
Want to see it to belive it, try EventLog Anayzer 5. You can download it from here. The full functionality download is available free for thirty days trial.
Author: parthasarathi
Mood: Cool I came across an article in S-OX
| Quote: |
| Compliance is defined as being in accordance with authoritative requirements. That means being up to date on guidelines, processes and practices. These processes and practices are oriented around such requirements as:? Only authorized user/systems can access and modify specific information they require,? The privacy and integrity of the information and systems must be maintained and assured,
? Audit records are maintained and indisputable, and ? Operational best practices are in place and improved. Regulations, today, may differ in substance but tend to create a group of common requirements. These requirements include: ? Event collection and retention, ? Activity review and assessment, ? Data integrity and chain-of-custody, ? Use audit reduction tools, ? Investigation and forensic analysis, and ? Reporting to and by appropriate personnel. Most security event management (SEM) and security information management (SIM) solutions focus on incident response ? consolidating alerts to respond to visible threats and attacks. And, that?s important. But, as will be evident, the back end of the SIM process ? event data analysis and retention used for reporting, audit and investigation ? is usually half-baked. As a result, compliance support is often spotty. |
So as mentioned, Compliance is an important Security Information Management(SIM) solution.
Let us see how EventLogAnalyzer(ELA) fairs against the above compliance requirements.
ELA provides reports which meet
HIPAA(Health Insuraance Portability and Accountability Act),
SOX(Sarbanes-Oxley) and
GLBA(Gramm-Leach-Bliley Act) security standards under Compliance.
Currently ELA provides the following reports under Compliance section which meets the above security standards.
1. Successful User Logons - Identifies all the user logon events
EventIDs supported: (528,540)
2. User Logoffs - Tracks all the user logoff events
EventIDs supported: 538
3. Logon Failures - Tracks all the failed user logon events
EventIDs supported: (529, 530, 531, 532, 533, 534, 535, 536, 537, 539)
4. Audit Policy Changes - Tracks all the changes done in the audit policy
EventIDs supported: 612
5. Audit Logs Cleared - Tracks all the audit logs clearing events
EventIDs supported: 517
6. Object Access - Identifies when a given object (File, Directory, etc.) is accessed, the type of access (e.g. read, write, delete) and whether or not access was successful/failed, and who performed the action
EventIDs supported: (560,562,563,564,565,566,567,568)
7. System Events - Identifies local system processes such as system startup and shutdown and changes to the system time
EventIDs supported: (512,513,514,515,516,518,519,520)
8. User Account Changes - Identifies all the changes done on an user account like user account creation,deletion, password change etc.,
EventIDs supported: (624,625,626,627,628,629,630,642,644)
9. User Group Changes - Identifies all the changes done on an user group such as adding or removing a global or local group, adding or removing members from a global or local group,etc..
EventIDs supported: (631 - 641) and (643 - 646)
10. Successful User Account Validation - Identifies successful user account logon events, which are generated when a domain user account is authenticated on a domain controller
EventIDs supported: (672,680)
11. Failed User Account Validation - Identifies unsuccessful user account logon events, which are generated when a domain user account is authenticated on a domain controller.
EventIDs supported: (675,681)
If you would like to enhance the compliance reports further, do let us know.
Thank You,
Parthasarathi
Corp