Freely subscribe to our NEWSLETTER

Ensuring compliance within the enterprise – i.e. conformity with behavioural rules, legal requirements and regulations – is an important aspect of IT. Due to the legal situation, however, the focus is often solely on legal and industry standards (e.g. Sarbanes-Oxley (SOX), Basel-II, PSI DSS). Consequently, the fact that compliance with internal directives must have a high priority, as compliance with these regulations is particularly effective in eliminating internal threats, is often overlooked.

An analysis of the regulations that apply for an enterprise will reveal that the individual requirements all relate to IT to a greater or lesser degree. In the case of SOX, for example, framework control models such as COBIT are required to close the gap between the requirements for controls, the technical requirements and the business risks.

Other regulations, by contrast, set out explicit specifications with respect to IT security requirements, as the example PCI DSS (Payment Card Industry Data Security Standard) illustrates. The requirements here range from standard IT security solutions (e.g. building a secure network with firewall) to securing credit card information (secure storage and transmission) and even the requirement of ongoing monitoring and regular verification of security systems and processes within the enterprise.

This last point in particular underscores the paramount criterion for compliance: regular verification of the effectiveness of the implemented measures and processes in the enterprise. Today, it is no longer enough simply to install a firewall and assume that the system is secure. Rather, it is necessary to develop a process view of IT security, bring IT objectives into line with those of the enterprise and create an awareness for the issue of IT security in general and the existing processes in particular.

The technical solutions to support compliance are often an additional matter requiring analysis. The vast majority of enterprises today have fully mastered the conventional IT security strategies (such as firewalls, antivirus software, server systems, VPN solutions and content management). However, when it comes to the ongoing monitoring and regular verification of IT required to ensure compliance, security information and event management (SIEM) and security configuration management (SCM) solutions can provide powerful assistance.

In the following, some of the requirements for such solutions are described on the basis of examples.

Risk metrics are used to quatify the risk

Risk metrics are used to quantify the risk e.g. of weak points and violations of regulations. Evaluation of the data is no simple task, as this usually consists of multidimensional data that is extremely difficult to administer manually – which is due not least to the complexity of today’s IT environments. A further complicating factor is that the various persons involved in the process require reports that are tailored to their highly specific roles. SCM solutions represent an effective tool, as they not only supply the required information but also reduce the workload on the IT staff – a welcome opportunity to optimise the deployment of valuable, finite resources.

Compliance reporting is a high-priority issue

Particularly in the area of compliance, effective reporting is a high-priority issue. On the technical side, an SCM solution can verify compliance with the technical rules derived from the compliance requirements. To accomplish this, it is first necessary to implement the regulations to be complied with in the form of policy templates, or use templates that conform with the regulations that are provided in the SCM solution. With the aid of these templates, the IT environment can be verified and a report on deviations generated. However, the SCM solution not only provides technical reports for administrators, but also integrates the data in the risk metrics discussed above. The SCM solution is thus capable of preparing data in a form suitable for management in a security dashboard. In the process, it also demonstrates to auditors that effective control measures exist and have been implemented within the context of a defined process – a key requirement in the compliance area.

Event management and incident response

Particularly on account of the use of different technologies in the area of established IT solutions (see above), it is difficult to effectively analyse the information produced by the individual systems. In the past, many enterprises opted for a best-of-breed philosophy to ensure deployment of the best-fit product for each individual issue. This makes central management of the information (log data) generated by all these solutions all the more necessary. The event management of an SIEM solution is of great help here. However, administrators need to make sure that this solution not only can receive data and network components (e.g. via syslog) but also includes a high-performance host component. In the area of real-time analysis, the event management identifies the relevant events and can, if desired, execute appropriate responses. It can identify threats, detect changes e.g. to the system configuration and report violations of regulations. For compliance management purposes, this includes monitoring of access to particularly sensitive data. A complete audit trail of employee access to sensitive data, such as the financial data of an enterprise or customer credit card information, is a key requirement of many regulations. The most efficient way to implement this requirement is through the deployment of SIEM solutions that install an agent on the server systems which performs auditing locally. The native audit functions of operating systems have still not proven sufficiently efficient in practice with respect to performance, so that agent-based solutions that use their own audit technology are often the more effective solution. When an incident is detected, the SIEM solution notifies the appropriate incident response staff members, who can both utilise an integrated knowledge base and analyse the incident using automated forensic analysis and reporting tools.

Log management is to normalize & archive

The primary task of the log management functionality of an SIEM solution is to normalize and archive the log data of the enterprise IT and security solutions following their transmission to the central log archiving server. Normalisation is a key step for the analysis of the information, not least because it ensures that the information of a log entry is assigned to individual data fields (e.g. computer, use, event ID). This makes it subsequently possible to execute forensic analyses with the corresponding query criteria across all platforms and applications. The SIEM significantly reduces the time IT staff needs to spend on managing and analysing log files, enabling them to focus e.g. on processing the reported events and ultimately enhance the security of the IT environment. It is in the interests of enterprise to deploy an SIEM solution. On the one hand, it significantly reduces the workload; at the same time, the majority of compliance regulations and directives require that log data be regularly analysed and archived for longer periods to enable later forensic analyses.

SIEM & SCM Solutions represent an ideal to complement to the standard IT security solutions

In the area of compliance, SIEM and SCM solutions represent an ideal complement to the standard IT security solutions (firewalls, AV, NIDS, etc.). No enterprise should be without such solutions, as particularly the SIEM and SCM solutions cover an essential part of the requirements of the great majority of compliance regulations, namely auditing and monitoring of the deployed solutions and processes.