1. Cyber Security
You need sharper Cyber Security against stealth attacks
Visibility is even more crucial in the face of advanced cyber security threats
A single command and control view for enterprise security
To provide an enterprise-wide perspective of risk and compliance, an effective security
solution must provide a single command and control view. It must also identify new
threats and new avenues by which they infiltrate organizations. The last couple of years
have seen a shift from random attacks on many targets to fewer attacks on quite specific
targets. Often these take the form of Advanced Persistent Threats (APT), which use a
combination of spear-phishing, custom Trojans and beaconing.
It’s therefore crucial for effective enterprise cyber security to
• Be horizontally and vertically scalable;
• Have the capacity to collect all of the vital data all of the time;
• Be proactive, not reactive, and allow for real time interpretation of all events;
• Bridge all security information silos so that blind spots are eliminated;
• Provide for multi-dimensional and Dynamic Behavioral Analysis;
• Facilitate external data enrichment, i.e. correlating with external data stores to
validate and enrich alerts (Vulnerability assessment, IAM, CMDB etc).
One more point is that business users should have access to security information
that highlights their risk status and the integrity of their systems and datasets. The
productivity improvements from these capabilities alone can pay for the deployment
of intelligent and more effective security management systems. There is a
prerequisite, however: improved communications between IT security and business
unit managers.
2. ‘Business executives spend a lot of time talking about the importance of security,’
George V. Hulme writes in CSO magazine, ‘while information security officers spend a lot
of time talking about how the business side really doesn't understand security.’ 1 IT
security people feel they’re often brought into discussions about new projects too late,
while business managers tend to see IT security staff as sticks-in-the-mud who oppose
all new initiatives and projects. These are different kinds of silos, and they too need to
be bridged.
Proof of concept
The final point I want to make is that your security investment must suit your specific
purpose, so you shouldn’t hesitate to ask the shortlisted vendor for a trial using your live
data and security infrastructure. This will take extra time, but bear in mind that it’ll most
likely take a year or so before your SIEM begins delivering what you bought it for, so a
trial like this is more than worthwhile to ensure that the vendor can deliver on his
promises.
Be prepared to probe deeply into the trial results though, to ensure that the system
addresses your specific needs. Even simple security appliances can impress with the
amount of silo-based data they produce but, while they readily generate simple,
standard reports, these can’t be integrated with other silo-based information. In reality,
they will add little to your security effectiveness.
Summary
It pays to make sure that you invest in an integrated SIEM solution that provides the
essential tools and intelligence to provide the right level of cyber security for your
organisation. Try before you buy is also a smart move.
IT security systems – the big impossible?
Cutting funds can cancel out IT compliance
3. The cost of IT compliance is a lot lower than non-compliance by the time you add up
data loss, fines and loss of reputation.
The importance of IT compliance and the cost of non-compliance
The cost of IT security vs the cost of data breaches and non-compliance
The Cost of IT security
The value of strong IT security lies in preventing events that can damage your brand or
your organisation. Compared to other IT investments, IT security spending is pretty
modest. Analyst firm Computer Economics estimates that most organizations spend less
than 2% of their IT budgets on security, but adds that it can be as high as 5% in
organisations where system availability, data integrity, and confidentiality are crucial.
Given those limited funds, possibly more limited since the GFC, you want to make sure
you spend them wisely. You want the best performance for your security dollar, along
with the lowest implementation and maintenance costs (since you most likely have
limited people resources as well). You want to make sure the big exposures are covered,
and you want to avoid wasting any of your limited funds.
Let’s look at an example: Security event log collection and management is essential for
compliance with regulations such as Sarbanes-Oxley, GPG13, ISO 27000 and PCI DSS.
Business traffic and data volumes are ballooning, however, and we’ve talked to many
organizations whose log management systems can’t handle the increasing load. (Many
SIEM platforms struggle to handle 10,000-15,000 events per second). What looked like
an economical solution has turned out to be a waste of money because
• Logs will be incomplete, which will be discovered during audits
• Incomplete logs make accurate forensic replays impossible
• The SIEM system that relies on complete log collection is compromised also or
even ‘rendered unusable, not unlike a denial of service (DOS) [scenario].’
4. As with other IT investments, you need systems that can grow with you and scale up
easily to meet increased demand.
The cost of data breaches and non-compliance
The value of critical company IP or sensitive client data is easier to estimate than the
value of collecting complete event logs. When Ford product engineer Xiang Dong "Mike"
Yu was accused of stealing automotive design specs for the Beijing Automotive
Company, experts said they were worth some $50 million.
The cost are even more obvious, and often more public, where fines are involved. In
2010, the UK’s Financial Services Authority fined Zurich Insurance (UK) £2,750,000 for
‘failing to take reasonable care to ensure it had effective systems and controls to manage
the risks relating to the security of customer data.’ The compliance breach involved the
data of some 46,000 policyholders.
For companies generating large amounts of revenue online, data breaches can stop
revenue flows dead in their tracks as was the case with Sony’s Playstation Network. That
part of the Sony saga cost the company $170 million just in lost revenue. Disruption to
business can extend over many months, of course, as lawsuits have to be settled with
customers, with banks, with credit card issuers, and sometimes with state attorneys.
Back in 2007, Massachusetts-based retailer TJX lost some 45 million credit card numbers
to hackers over a period of time. The total cost to TJX was estimated at $4.5 billion,
based on a cost of $100 per record breached. These days, the average cost of a data
breach is more than $200 per record, according to the Ponemon Institute, and the
average cost of significant data breaches reported in Australia now exceeds $2 million.
Summary
You can buy a lot of IT security for a lot less than the cost of data loss, penalties and lack
of IT compliance. Ponemon Institute that IT compliance cost some $3.5 million per
annum while non-compliance cost others $9.4 million.