There’s no reward without risk, according to the old saying. But in the current, closely-regulated business environment, the demand is for reward with near-zero risk. So it’s no surprise that Risk Control Groups are a powerful voice in any financial organisation, reacting to change in the risk landscape with recommendations for both corporate policy and IT.

The RCG’s remit goes beyond traditional information security to embrace wider business, partnership and cultural considerations. They don’t view risk as a simple, binary issue of ‘are we secure or not?’ but instead involves posing the constant questions: “What’s our current exposure to risk? What could we stand to lose?” It is these questions that can put a company’s RCG and corporate IT team at cross purposes. The two camps may have very different views and understandings of what exactly should be secured - and in turn, very different approaches to managing what they see as the actual security risks.

Often, information security implementations are driven by the corporate IT team. This may focus on solutions addressing the latest emerging threats, including malware, hacking attempts and so on. But simply adding point security products to the network may not enhance overall security.

Unless an in-depth business risk analysis is done, there is the chance of overlooking areas that really do need protection, while over-protecting others. And crucially, unless the business has an effective method for monitoring, in real time, its true overall security stance, its current vulnerabilities and risk points, it cannot effectively manage risk, or deliver truly effective protection to the business’ IT assets. Yet this is a position that many companies are in. Despite their considerable investments in advanced point security products, IT teams cannot manage the security of the corporate network easily. They are constantly on high alert from the constant stream of events being reported by every product’s management console.

This stream of events and alerts - Gartner estimates that the systems in companies with 1000+ users generate over 200 security ‘events’ per second - is enough to overwhelm any IT department. Worse, it masks what’s really happening on the network and stops the IT team, and any other parties, being able to manage risks strategically. So the IT team can’t say for sure what the security status is on the network. Which means the RCG can’t easily report on true status of the potential risks to the core business systems, data and processes that the IT security infrastructure is supposed to protect.

So how do businesses reconcile both the security management needs of the IT team and the risk management needs of the RCG - and of the business as a whole? This is where security information and event management (SIEM) comes in. For IT teams, an SIEM solution adds value to their existing multiple security products and corporate systems. It integrates the jumble of different management consoles and reporting formats to simplify control, give better visibility and improve response times. It does this by drastically reducing the level of data and log traffic generated by multiple systems - giving IT staff a less cluttered view of what’s happening across their networks.

These data and event logs are aggregated into one central, correlating SIEM engine. This engine establishes the relationships between the logs and alarms produced by a company’s various core business systems, such as ERP, transaction management and so on, and security devices, and correlates it. SIEM will typically filter the number of events and alerts down by a factor of 1000 or more. Also, it can overlay multiple reporting logs and data streams to give IT staff a single-console view of critical security events.

This view helps identify irregular activities or attempted attacks that would otherwise be invisible without correlation. And it’s important to remember that this view is built around the behaviour of core business systems, not just security products. SIEM can also put alerts into context, by linking to internal and external resources which document known vulnerabilities and exploits - and with an embedded incident handling and resolution system, assist IT staff in delivering the most effective response to events. An additional feature is the ability for IT staff to set up and enforce better security policies, and make changes to those policies and products on-the-fly from the SIEM console, if any attack or threat is suspected or identified. This enables a complete Plan-Do-Check-Act cycle in accordance with best practice in security management.

So SIEM serves the needs of the IT team. What about the RCG, and the company’s overall risk stance? Because SIEM solutions extend from the core of the business outward, they can log and report on any changes to core assets, wherever those assets are stored. This makes SIEM a central storage, reporting and audit engine across the company’s entire IT infrastructure, providing a single, large-scale body of security evidence. This enables easy tracking of security processes, and detailed analysis of those processes by any party that needs to do so. Using the SIEM solution, the RCG can undertake risk analyses, identifying and quantifying the impact on the business of any security breaches, assessing threat levels and deciding what next steps are justified.

Here is a specific example of how SIEM can add real value to the RCG’s role. A need common to many banks and building societies right now is to archive and store event logs from all business servers, to meet regulatory demands. This data is stored in the raw format for forensic examination if needed. Organisations may also want to import and handle security logs from other platforms.

Sounds like a fairly straightforward storage issue. But are banks missing a trick by simply storing that data in a big silo? For RCGs to manipulate the raw data and review it still requires additional tools and resources. After all, manually reviewing gigabytes of data, across multiple files and in different formats, trying to spot patterns (e.g. unauthorised or unexpected activity) is not for the faint-hearted. Indeed, even the most dedicated and expensive security experts usually miss complex, combined events. Why not take the SIEM approach that avoids yet more corporate data silos and enhances security?

With SIEM, the data can be collected and stored in an off-box appliance in real-time, ensuring that it is secured and available for auditing and forensics, even if the original event data is erased or tampered with. And the SIEM solution can deliver a full range of strategic risk and compliance reports, as well as delivering real-time alert monitoring and incident remediation - giving the RCG the investigative and reporting capabilities they need.

Put simply, risk control and management boils down to knowing - and being able to demonstrate - that you know what your risks are and how you are dealing with them. And if it all still looks daunting, there is some comfort to be taken from the wording of one of the most feared compliance standards. Sarbanes-Oxley legislation states that there should be adherence to ‘reasonable controls’ around risk management. SIEM can provide both the controls and the in-depth auditability.

BIOS, Nov 22, 06 | Print | Send | Comments (0) | Posted In Business