Implementing Best Practices to Achieve Compliance and Defend Against Persistent Threats

What would it take to meet compliance and new regulations? Is log management enough? What should be logged? Will the log catch newer and more sophisticated threats like APTs? Can you and how do you act upon what you're able to log and track? The questions go on and on when it comes to compliance and APTs because they're evolving quickly, giving IT managers little time to put a robust plan in place.

Below we cover best practices to achieving compliance and defending against advanced persistent threats. Listen to a podcast interview with Ted Ritter, Senior Research Analyst at Nemertes Research, where he addresses the key trends, issues and potential solutions for meeting compliance requirements. Also included is a series of questions and answers that often lead companies to reassess -- and in many cases update -- their current security and compliance initiatives.

An Interview with Nemertes Research -- Podcast

Podcast Summary: Implementing Best Practices to Achieve Compliance and Defend Against Advanced Persistent Threats
Length: 7:43

• Introduction - Ted Ritter, Senior Research Analyst, Nemertes Research
• Relationship between compliance and security (0:22)
• Log management is not enough to meet compliance and defend against APTs (1:12)
• What to consider beyond just deploying Security Information and Event Management (SIEM) (3:07)
• Implement your own SIEM or use a cloud-based SIEM? Plus the value of SIEM (4:27)
• Key takeaways and advice (6:28)

About the Speaker

Ted Ritter is a Senior Research Analyst with Nemertes Research, where he conducts research, advises vendor and end-user clients, develops research reports and delivers strategic seminars.

A Certified Information Systems Security Professional (CISSP), Ted leads Nemertes' research on cloud, virtualization and data center with an emphasis on compliance, risk management, and business continuity/disaster recovery. He is also one of Nemertes' dedicated experts on virtualization security, Internet infrastructure, efficient data centers and Green IT.

>> Listen to the podcast

 

Frequently Asked Questions

• Are log collection and periodic reviews enough to meet compliance?
• Is cross-platform correlation simply integration with user information as some Security Information and Event Management (SIEM) vendors would like us to believe, or should we expect more?
• What should I look for in a Security Information and Event Management (SIEM) and consider in implementing a SIEM?

>> Download PDF

Are log collection and periodic reviews enough to meet compliance?

Log collection and periodic reviews alone do not meet compliance today. In the past, companies may have met compliance with baseline data collection, governance and oversight, reporting and monitoring. However, in today's environment, you must also take action, remediate and control the events.

Using a Security Information and Event Management (SIEM) platform helps companies achieve compliance, particularly SIEM solutions that perform real-time investigations and cross-platform correlation to give you more accurate information about events and complete visibility into the security posture of the entire network landscape.

However, SIEM is just a tool. Resources are then need to validate the alerts, take steps to remediate the incidents, create exception reports, create reports to align with compliance requirements (for SOX, HIPAA, GLBA, CA SB-1386, PCI and others), implement measures to avoid these problems in the future and develop best practices.

The good news for those who do not have the budget nor the manpower in-house to do this, some Managed Service Providers (MSPs) offer managed SIEM services to help you meet compliance and ultimately act upon security events to protect your business.

>> Learn more about Virtela's Managed Cloud-based SIEM and IT Infrastructure Management services.

>> Download Virtela's Executive Brief on services and capabilities to help meet PCI compliance.

Is cross-platform correlation simply integration with user information as some Security Information and Event Management (SIEM) vendors would like us to believe, or should we expect more?

Some SIEM vendors may say that integrating with Authentication, Authorization, Accounting (AAA) servers is cross platform correlation. However, this is just the bare minimum requirement. What's needed for true cross-platform correlation is correlation and analysis of security events across all devices to provide a holistic view of the threats.

Cross-platform correlation provides real-time investigation of security events with actionable event determination--requirements in order to meet increasingly more stringent compliance audits. It provides accurate visibility into the entire network landscape, not just point device visibility, therefore, providing a higher value of security mitigation.

Some SIEM services from Managed Service Providers (MSPs) inherently have cross-platform correlation capabilities. In addition, a managed service saves you on the upfront costs for the SIEM platform and ticketing infrastructure as well as ongoing opex costs to maintain and manage the solution. Consider this option particularly if you need to augment your current in-house staff with a partner that's focused on securing networks and applications and has a successful track record of doing so. In addition, consider a partner that provides an extra level of scrutiny beyond the SIEM, to further validate events to minimize any false positives, and ensure that the resultant alerting information is meaningful and actionable.

>> Learn more about Virtela's family of managed cloud-based SIEM and IT Infrastructure Management services.

What should I look for in a Security Information and Event Management (SIEM) and consider in implementing a SIEM?

There are a wide variety of options available to companies today, ranging from deploying and managing their own SIEM to subscribing to a SIEM service from a Managed Service Provider. Regardless of whether you decide to do it on your own because you have the staff, expertise and budget or need the help of an MSP that has a proven track record of successfully implementing SIEM solutions, here are some things you need to consider:

• Cross-platform security event correlation. Ensure that you're implementing a SIEM solution with cross-platform event correlation. Visibility, correlation and analysis of a variety of network and security devices (including routers, switches, firewalls, services and IDS/IPSs), detect malicious activity and locate the source of attacks across the entire IT infrastructure.
• Time synchronization of all events. Since the SIEM needs to analyze logs from disparate systems, it is critical for the systems to synchronize timing across the entire environment with a common time zone (GMT). Timing is critical to evaluate separate events over a specific time criteria.
• Device proximity in the network. Device placement within the network, with regards to their relationship to each other, is critical to creating relevant events. As an example, assume an Secure Socket Layer - Virtual Private Network (SSL-VPN) gateway and (Intrusion Prevention System (IPS) are deployed in a Demilitarized Zone (DMZ). For your solution to accurately and quickly identify the SSL infected user, you would need to deploy the IPS in local proximity to the SSL Gateway. If the IPS is elsewhere, say in the core network, this presents a challenge as it may take a longer for the IPS to detect the malicious traffic.
• User/Device Identification. Ensure that the SIEM solution has the capability to integrate with you Active Directory for mapping IP addresses to users and generating reports by AD groups. This helps to quickly identify users for remediation purposes.
• Asset valuation. Asset valuation means assigning an asset such as a device, a network subnet, or a location (e.g., data center) an asset value based on the potential business impact of the asset being negatively impacted, to the point of compromise or being unavailable for an extended period of time.
  
  Asset valuation should be performed prior to any SIEM deployment. While you may feel that you don't have the time and resources to do this well, know that you can change the asset values over time. Start with a goal to aim small, win small. For instance, instead of going through the entire network and documenting each system (the ultimate goal), immediate, and relevant asset valuation can be obtained by simply going through each network subnet with a classification of purpose (Web access, , remote access, VoIP, DMZ, branch office, WAN transit, core backbone, etc.), and assign an asset value for the entire subnet, based on potential business impact.
  
  Once asset values are assigned, it is important to come up with a matrix for asset valuation (high, medium, low) and your plan of attack to events, known vulnerabilities, and exploits based on the asset values.

If you're considering the MSP route, some MSPs offer SIEM services with any of their managed security services (e.g., managed firewall, IPS, web filtering, etc.) or IT infrastructure management service when they monitor and manage your network and/or security devices.

>> Learn more about Virtela's Managed Cloud-based SIEM and IT Infrastructure Management services.

Have Questions? Contact Virtela

Want to discuss your security and compliance goals? Complete the form below and a Virtela Solutions Consultant will contact you within 24 hours.