http://www.s-ox.com/Feature/detail.cfm?ArticleID=623 By Phil Hollows 2005-02-28 - From a Sarbanes-Oxley Section 404 perspective, any breach in IT security represents a risk to an internal system - including those covered by the standards implicit in section 404's mandates. Since IT underlies the very business of recording and reporting all financial activity, it follows that a lack of control over IT security would imply a lack of control over the organization's financial reports, in direct violation of SOX section 404. Since any compromised IT system - or an unmanaged attack that could create a compromise - can then be used to attack, compromise and degrade the integrity of the IT systems supporting a covered firm's financial systems, section 404 of Sarbanes-Oxley carries with it the mandate to properly secure IT enterprise-wide (or, at least, to the point where the CEO, CFO and independent auditors are comfortable with the level of risk management applied to protecting corporate IT in general and financial IT systems specifically). As a result of the efforts of organizations such as the ISACA, COBIT and PCAOB, frameworks and standards such as COSO have emerged that explicitly address the role of IT security in complying with SOX compliance. Taking Strategic Control of Security with SIM Security information management (SIM) solutions are an emerging class of products that enable compliance through provable, fast threat detection, management, and containment. Affordable, easily managed real-time security monitoring and correlation solutions offer a compelling way for public companies to comply with the implicit IT security mandates of SOX. Moreover, the reporting and full logging storage capabilities of SIM products allow companies to prove that security policies are being correctly followed - even providing an integral framework to guide operators to respond to security threats and incidents in a consistent, compliant manner. Finally, in addition to enabling compliance with SOX regulation, SIM products can provide very low maintenance security management framework to reduce the workload placed on IT security in general, improve security operations effectiveness, and enhance a company's ability to proactively mitigate high-risk threats before they become successful exploits. The strategic opportunity for IT in public companies is therefore to think beyond the immediate compliance deadline and look to establish controls that ease compliance with tighter regulations over time, as well as ensuring that, if needed, the changes wrought to satisfy SOX can stand up in court. Building a defensible position against a class-action shareholder suit is one of the unfortunate situations that IT organizations need to plan for as they move forward implementing their compliance activities. As the financial scandals in the early part of the decade showed, having an auditor sign off is no guarantee that law suits can be avoided, and SOX section 302 makes it clear that CEOs and CFOs are personally liable for any material misrepresentations. Monitoring Security In terms of established OT compliance frameworks, although PCAOB's Auditing Standard No. 2 does reference IT controls, it does not specify the IT controls an organization should deploy in order to be complaint with SOX. However, COSO specifically calls out IT security monitoring as follows: "Security monitoring - Building an effective IT security infrastructure reduces the risk of unauthorized access. Improving security can reduce the risk of processing unauthorized transactions and generating inaccurate reports, and can ensure a reduction of the unavailability of key systems if applications and IT infrastructure components have been compromised." The ITGI's IT Control Objectives document, which provides specific recommendations based on COSO to guide compliance activities, specifically identifies the need for a security monitoring control: "IT security administration monitors and logs security activity, and identified security violations are reported to senior management." It's clear: to meet the SOX general IT security requirements, organizations need to deploy multiple security point solutions such as firewalls, intrusion detection systems (IDS), anti-virus systems and others. That's a given. But simply deploying point solutions on networks, servers or desktops does not, by itself, satisfy the security monitoring requirement implied in Section 404. A true monitoring solution must show that the products deployed to protect a company's critical assets are, in fact, working properly. The only way to be successful in meeting this requirement is to collect, manage and save the relevant threat data from the individual security point solutions. SIM extends the real-time monitoring of events detected by network and application security systems by enabling operators to detect and manage threats to the integrity of the company's financial systems, looking at alerts from across the entire enterprise. And SIM provides real-time, actionable information, not monthly reports that end up in an auditor's filing cabinet. Correlation: Finding the Threat Needle in the Security Haystack But identifying threats that can cause an incident from the data that enterprise security systems report quickly creates a massive challenge. With large populations of security solutions to monitor, IT security professionals need to collect disparate information from diverse sources, quickly assess its impact, and make timely decisions before major damage is done. They also need a way keep all this information in a convenient place for reporting purposes. But the data volumes are colossal - many millions to billions of log entries are recorded by an enterprise's systems every day. Threats need to be identified from this massive data stream and dealt with, and the data needs to be stored without requiring warehouses full of expensive storage area networks. And then a determination needs to be quickly made - is this threat real? How much risk does it represent? And how should it be managed? Worse yet, as we all know, IT security challenges are growing enormously as an increasing number of diverse security products are deployed to combat increasing number of threats, exploits and hackers. As technologies such as the 802.11 series of wireless protocols emerge that render notions like the secure perimeter increasingly irrelevant and porous, the number of security systems that need to be deployed and monitored will only continue to grow, day in and day out. For each class of security system, organizations are faced with many choices of firewalls (network, application and protocol-based), intrusion detection and prevention systems (IDS and IPS), anti-virus (AV) systems, virtual private networks (VPN), host-based protection and a range of dedicated network security appliances. Indeed, monitoring network systems, such as routers and switches, for suspect activity is now a fact of life since these, too, have known vulnerabilities that can be exploited. Every organization's security strategy will involve some combination of these techniques, depending on their strategic goals and acceptable degree of risk. Real-time security event correlation is the key to making this mountain of data manageable again. A typical SIM system will: * Collect log file and event data from multiple security, network and server sources. * Normalize and correlate these event in real-time to identify threats before they become security breaches. * Prioritize threats according to risk-based event weighting, target vulnerability, asset value and historical activity. * Maintain a threat database, including a taxonomy of known threats, vulnerabilities and exploits. * Provide extensive threat, attack and forensic reporting and analysis capabilities. * Enable automated and guided operator actions for consistent incident responses. The goal of a SIM, when considering existing costs and workloads of compliance implementation teams, must be to deliver these capabilities in as minimally invasive a way as possible, and as a result of the correlation, ultimately reduce the time and resources spent in incident response. Is this practical? In a recent eWeek article, one SIM user, Adam Hansen, of law firm Sonnenschein, Nath and Rosenthal, described firm's his experience recently after deploying a SIM. His SIM monitors 9 million daily security events and accurately identifies 20 or 30 events of interest. From there, the firm's administrators need to investigate only one to three events a day. "We reduced our incident response time from 24 hours to minutes," said Hansen. "We deal with an event as soon as it happens rather than look at a log." Hansen's experience is not unique. According to ComputerWorld, Scitum SA, an MSSP, recently reported an event reduction factor of 10,000 after deploying a SIM in their security operations center. Monitoring and Vulnerability Management - A Comprehensive Risk Management Strategy These examples are impressive feats, to be sure. But does that mean SIM is right for all organizations? Managers might think they don't need SIM, particularly when investing in a comprehensive, and undoubtedly expensive, set of vulnerability management products and processes. An ounce of prevention is worth a pound of cure, it's true. Many security systems and technologies have been deployed to prevent intruders from accessing high value systems. First came firewalls - then the mail worms, the web buffer overflows, and the RPC exploits marched right through the open ports to wreak havoc on their targets on the inside. IDS arrived, but didn't actually stop anything. Then IPS, and next, who knows? If there's a lesson to be learned, it is that no matter what technology is deployed, it will have a flaw, a way to be defeated, or will be so untrusted (e.g. too many false positives) to be functionally useful. Enter vulnerability management solutions. The premise is simple and seductive. If there are no vulnerabilities to exploit, there is no risk. Identify and mitigate the open vulnerabilities and risk is eliminated - there's nothing to compromise. The good guys win. Right? Not exactly IT security managers should be engaged in actively managing system vulnerabilities and nobody should counsel otherwise. However, they should do so rationally, methodically, and with understanding of the risks and rewards at each step. What is absolutely not true, however, is that every system can be patched perfectly - at least, not in a timely, cost-effective manner. An organization simply cannot patch against social engineering (i.e. persuading a human to do something for you that you can't, like resetting an administrative password). It cannot patch against a careless or corrupted employee placing a wireless access point inside your network, completely bypassing your perimeter defenses. It cannot patch a system against weak physical security. It cannot patch against someone emailing a customer list to a competitor. It cannot patch systems its unaware of, such as embedded databases or web servers. For example, if an organization's engineering group uses a product like Ghost to re-image test machines, any patches it applies could be here today and gone tomorrow. It's clear: Even with an extensive and comprehensive vulnerability and patch management program in place, it remains vital to monitor security systems. Remember, from the bad guys' perspective, there's always a workaround. There's always a signature that the system doesn't know about. There's always a new user the anomaly detector hasn't discovered. There's always a careless default installation or a system that hasn't been gotten round to yet. There's always a thoughtless user to social engineer through. There's always someone to corrupt, a system to bypass, a new trick to employ. So, one of the biggest mental hurdles to overcome when thinking about risk mitigation and prevention planning is accepting the fact that it is impossible to get 100% of vulnerabilities removed using a patching approach. It can't be done. It won't ever be done. Plan for it. Ultimately, this is how SIM complements vulnerability management. Section 404 requires monitoring security. Prudent risk management also says companies shouldn't put all their security eggs in the vulnerability management basket. A mature, compliant IT security organization will deliver strong mitigation and monitoring solutions, and also have a well-defined (and practice, practice, practice!) containment and incident response strategy - requiring all three legs of the stool. SIM: Automating Real-Time Risk Analysis for Compliance Risk - whether its acceptance, mitigation or transference - is at the heart of IT security planning and monitoring. The analysis of an attack event from a single device is relatively meaningless. There is no context within which to judge its relevance and importance. By using SIM to evaluate individual events in the context of the real-time enterprise threatscape, it is possible to assign risk values using the SIM to each individual event. Implementing a security monitoring solution without being able to manage log collection from different sources, quickly triage events using a risk-based approach, and implement response times risks failure - unless a SIM solution is in place. A good, risk-based approach will enable the SIM to determine the following criteria, and adjust the risk weight appropriately, for each event detected, and then intelligently alert based on defined risk profile. The following sample factors show how the view of an event's risk changes based on its context: * The source of an attack: Inside or outside? A new guy or a competitor? * The target: A print server or the database holding customers' social security numbers? * The exploit being used: A simple probe, or something that gives the hacker complete control? * The vulnerability of the target: Is the system vulnerable? And how old is the scan? * The user: Is someone pretending to be an administrator? * Activity: Have we seen this before? Is it a persistent pattern, or an apparent one-off? All of this analysis needs to happen in real-time so that organizations can anticipate and manage a breach immediately. Running a retrospective report is too little too late, and by no means a "monitoring solution." If so, an organization has already been compromised. Game over. Going Beyond Compliance to Better Security The ability of a SIM to accurately identify threats can yield enormous savings in terms of operational efficiency. But the potential benefits don't stop there. The ability of a SIM to be able to respond automatically to an attack can make all the difference between simply detecting a threat and actually containing it. Foiling worm attacks is a great example of how automated remediation using a SIM can help minimize the speed and scope of an infection - in effect, helping to automate a containment strategy. In order to apply process controls, for example, a SIM can be forced to take an automated action if, and only if, a threat that passes the filter criteria has reached the critical state. Its users can create many different automated responses, each with their own unique combinations of filters and actions. Automated responses to known classes of security intrusion attempts demonstrated clear, consistent and controlled risk-oriented policies towards IT security and threat management - a core item in SOX compliance evaluation. Organizations can also link SIMs to internal knowledge bases, resource links and procedure manuals based on alert and event data correlated by the SIM, create well defined management options for users, and display them as options for operators to take. As a result, organizations gain consistent response to threats from operators, using the SIM to help define, manage and ensure consistent containment processes. Real-time risk management using SIM takes the vulnerability and risk approach and applies it to IT network and security infrastructure in real-time. It properly takes into account the source of an attack in the modified risk equation, enabling much more effective internal management of launched attacks. SIM also builds off currently deployed heterogeneous security and vulnerability infrastructures, making systems significantly more effective than as standalone, isolated point solutions. SIM gives each system an enterprise-wide management context through the correlation process. This is all possible because SIM is a security management application, not a security technology. It doesn't try to sniff packets on the wires or attempt to verify whether machines are patched or not. What it does do is bring data together through a real-time correlation process that considers all these factors, as collected by all the relevant underlying technology products, to help manage the data gathered from them, and automate the threat analysis and prioritization processes. SIM for SOX! SIM and its functions are the keys to an organization's ability to prove that its network security products and practices are in compliance. SIM enables demonstrable compliance by implementing several mechanisms on any monitored sensor, device or application, including real-time log monitoring, prioritized threat alarms and escalations, audit trail and configuration versioning, threat, event and forensic reporting, and standardized threat and incident responses. It proves that the alarms are on, and someone is listening. SIM affords organizations strategic opportunity by enhancing security operations efficiency, ensuring consistent threat response and centralized full log management, archiving and analysis. But for SIM to be most strategic, it should scale beyond the short-term audit process to handle growth, mergers and acquisitions - without adding significant structural costs and extra workload to already stretched security functions. In a nutshell, if implemented well, SIM both ensures compliance with SOX section 404 and affords organizations additional compelling business benefits. -=- Phil Hollows, Vice President of Security Products, OpenService http://www.open.com Phil has more than 17 years of experience in product marketing, product management, development leadership and consulting. _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Tue Mar 01 2005 - 03:05:01 PST