May 2007

Efficient, Cost-effective Approach to Security Operations

Views: 293

Security breaches can have serious, measurable consequences: lost revenue, downtime, damage to reputation, damage to IT assets, theft of proprietary or customer information, cleanup and restoration costs, and potential litigation costs. To reduce these risks, security organisations need the capability to quickly identify and react to attacks.

Network Security or Information Security, as many would like to call it, has evolved over years together. With evolution of Internet and its supporting technologies, access to information has been just a click away. With the ease of access to information, the misuse of the same has been a grave concern. Organisations, especially the public sector, are facing daunting tasks of providing simple, efficient access to some informations while keeping other data away from the legitimate users as well as determined hackers.

In addition to the issues mentioned above, organisations have other multitude of security related issues which needs to be addressed, including physical security, internal threats, privacy concerns and evolving legal requirements.

If all of the above concerns are not handled in correct manner, Organisations are put up in severe risk– both legallyand financially.

Gone are the days when organisations would implement Firewalls and feel safe. As the  security requirement grows, there is a need that the organisation be more proactive than being reactive. No longer are the threats frequent and severe but the cost of potential attacks are also growing.

Need of Proactive Security Management

There are quite a few security point products that address different issues in building and  maintaining secure infrastructure. Technologies like firewalls, intrusion detection/ prevention systems, content management systems, strong authentication mechanisms,  access control (Authorisation) systems etc. have been addressing the security concern in their own way.

However, the problem with these security elements/ devices are that they have their own  paraphernalia, their own mechanism of collecting information and their own way of altering  the security personnel of possibility of security breaches. In addition, these security  devices/elements generate plethora of data on the information it collected and  processed, which we all call as logs. Going through these logs of various devices is intricate and that too in real-time is humanly impossible.

Furthermore, as the infrastructure grows in size and complexity, it become further difficult to track the information and analyse to make sense out of it to get complete security health of the organisation.

SIEM : tackling the Security threats in Proactive Manner

Security information and event management (SIEM) systems helps users to gather, store,  correlate and analyse security log data from many different information systems. This data  may prove valuable as part of a network security, organisation’s immediate response to an  attack, making it possible to see, for example, all the virtual private network connections that were active, when a behind-the-firewall server came under attack. Or in the case of an  incident discovered after the fact, such as the theft of credit card numbers, the system could produce reports for police and regulators from the archived log data.

IBM provides IBM Tivoli® Security Operations Manager — a Security Information and Event Management (SIEM) platform designed to improve the effectiveness, efficiency and visibility of security operations and information risk management. Tivoli Security Operations Manager centralises and stores security data from entire technology infrastructure so that one can:

  • Automate log aggregation, correlation and analysis.
  • Recognise, investigate and respond to incidents automatically.
  • Streamline incident tracking and handling.
  • Enable monitoring and enforcement of policy.
  • Provide comprehensive reporting for compliance efforts

Tivoli Security Operations Manager automates many repetitive, time-intensive activities  required for effective security operations. The result is an efficient, cost-effective approach to security operations.

Tivoli Security Operations Manager provides a platform from which organiations can  automatically aggregate host logs, security events, asset data and vulnerability data. One can select how much data one wants for the software to draw in — and from which sources —  and Tivoli Security Operations Manager gathers the data using standard and native protocols  such as Extensible Markup Language (XML), syslog, Simple Network Management Protocol  (SNMP), Simple Mail Transfer Protocol (SMTP), CheckPoint OPSEC, Sourcefire eStreamer and  many more. It can also use its own low-impact universal agent to collect information. Tivoli Security Operations Manager collects event and log data from hundreds of different devices  today “out of the box.” Additionally, one can add support for custom devices and internal applications.

Improve incident detection by correlating across devices

Drawing on information from across the infrastructure, Tivoli Security Operations Manager   can help detect attacks, misuse and anomalous activity. The software analyses and prioritises event data using four complementary correlation techniques:

  • Rule-based correlation — detects known attacks and policy violations.
  • Vulnerability correlation — maps known attacks to known system vulnerabilities.
  • Statistical correlation — identifies anomalies by performing advanced analysis of events and hosts.
  • Susceptibility correlation — helps determine the likelihood of exposure for any given system.

Additionally, Tivoli Security Operations Manager can use one’s business priorities to weigh  the importance of assets during the correlation process in order to prioritise security activities. When security analysts use the console, they see not an endless list of security  events, but meaningful information that has been prioritised in alignment with your goals  and policy.

Reduce time to mitigation through integrated incident investigation and response

To help drastically reduce the time it takes to handle attacks, misconfigurations and misuse,  Tivoli Security Operations Manager tightly integrates its investigation and response tools.  The software also facilitates the escalation and tracking process. Investigative features include the following:

  • Integrated one-click investigation tools.
  • Automated responses to block threats and close the loop.
  • Geographic tracking of suspicious activity.
  • Security-oriented ticketing system.

Improve efficiency through operational integration

Tivoli Security Operations Manager addresses operational inefficiencies experienced by siloed  IT organisations by facilitating the flow of incident management data between security,  network and systems management operations teams. For example, Tivoli Security Operations  Manager integrates closely with enterprise network and system management products — including event managers and dashboards, as well as IBM Tivoli Enterprise  Console® — and IT help-desk ticketing systems.

One can leverage these integrations to:

  • Support business and service assurance requirements.
  • Correlate security insights with information from the broader operations environment.
  • Further facilitate incident remediation.

Tivoli Security Operations Manager also integrates with IBM Tivoli Identity Manager and IBM Tivoli Access Manager for e-Business to provide monitoring and oversight for customer’s identity and access policies — enforcing policies, and quickly detecting and addressing potential misuse attempts.

DeepeN understanding through comprehensive reporting

The on-the-fly data mining, historical reporting, self-auditing and tracking capabilities in    Tivoli Security Operations Manager provide critical components for understanding security trends. What’s more, these reports help IT communicate relevant security information to other audiences, such as management and audit teams. Features include:

  • Standard and customisable report templates.
  • An automated report scheduler.
  • HTML, PDF and XML exporting of all graphs and charts.
  • Self-auditing and tracking of all security activities.

Tivoli Security Operations Manager draws on information stored in a security event database to deliver on demand historical reporting and trending.

Conclusion

Security breaches can have serious, measurable consequences: lost revenue, downtime,    damage to reputation, damage to IT assets, theft of proprietary or customer information, cleanup and restoration costs, and potential litigation costs. To reduce these risks, security organisations need the capability to quickly identify and react to attacks.

Tivoli Security Operations Manager provides a holistic view of an organisation security posture and the abilities to drill down and investigate attacks quickly. As a result, it is a valuable tool in helping prevent intrusions and helping maximise the security of one’s business.

Information Security

Information security is the process of protecting data from unauthorized access, use,  disclosure, destruction, modification, or disruption. The terms information security, computer security and information assurance are frequently used interchangeably. These  fields are interrelated and share the common goals of protecting the confidentiality, integrity  and availability of information; however, there are some subtle differences between them.  These differences lie primarily in the approach to the subject, the methodologies used, and the  areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic,print, or other forms.

The ISO-17799:2005 Code of practice for information security management recommends the  following be examined during a risk assesment: security policy, organization of information security, asset management, human resources security, physical and environmental  security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management,  business continuity management, and regulatory compliance.

In broad terms the risk management process consists of:

  1. Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies.
  2. Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization.
  3. Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control, technical security.
  4. Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis.
  5. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset.
  6. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernable loss of productivity.

Source: http://en.wikipedia.org/wiki/Information_security

Comments

comments

Click to comment

Leave a Reply

Your email address will not be published.

Latest News

To Top