These undeniable global forces create a stage on which the stakes are high. Increased revenue, profit and shareholder growth await properly prepared and integrated financial services institutions. For those who stumble or stall, the Flat World will pass them by.
But what is the case for security information management as a requirement for information security and, by association, for growth in shareholder value? There are some important issues for us to consider.
Risks to citizens and markets draws government response
When we consider information security, we must discuss its close companion, compliance. The truth is that identity theft, fraudulent financial reporting, improper IT controls, information security vulnerabilities and general forms of information system fraud produce genuine risks and cause devastating losses.
Measurable losses include business disruption, legal sanction, alienation of customers and, of course, literal financial loss. But the most damaging losses involve damaged reputations, tarnished institutional credibility and the withering effect those consequences have on stakeholders’ confidence in our financial markets.
The well-intentioned response from our governments has been to invoke legislative replies to address prevalent types of risk. Examples of legislation pertinent to the financial services industry include Gramm-Leach-Bliley, Sarbanes-Oxley, Basel II and the California State Bill 1386. Generally, these regulations are intended to protect citizens and sustain credibility in our markets and institutions.
While increased regulation may seem onerous at times, financial institutions should strive for more than compliance. In fact, an institution can benefit enormously if it can closely align compliance, information security, operations and the executive viewpoint. Alignment creates a sense of leadership, direction and lasting consistency that permeates an institution’s culture.
Reputation is determined by responsiveness
Interestingly, the manner in which an institution handles the post-incident investigation and communication processes – rather than the incident itself – primarily determines the impact on the institution’s reputation. In other words, the institution’s post-incident conduct ultimately reveals its pre-incident preparation.
As personal computer users, we all deal with spyware, popups and viruses, and we’ve learned to anticipate these and other threats waged on our personal computers and take precautions. We’ve learned, therefore, to expect problems, but also to have solutions available to protect our computers and our information. Thus, we’ve installed our favorite security software, which minimizes incidents and better prepares us for when they inevitably do occur.
Likewise, we expect our financial institutions to take prudent measures against security threats and have well defined investigation tools and procedures for when they, inevitably, do occur.
Security monitoring and streamlined investigation
A financial institution must ultimately find a balance between security and expense, and indeed between convenience and profit. While expected, risks – despite budget constraints – must be addressed to ensure end-user convenience in a reasonable operating environment. With these concerns in mind, it is vital that institutions be able to prudently monitor for common security incidents and to rapidly investigate incidents as they occur.
However, complicated computer networks and a lack of solutions have prevented institutions from automating the processes related to monitoring and investigating security incidents across their enterprises. The challenge, of course, is that billions of dollars of transactions flow across the networks of financial institutions, which depend on a myriad of servers, applications, security devices, databases, access servers and the like. These systems are numerous, are often geographically dispersed, and produce audit reports in many different formats. Finally, there is an overwhelming amount of audit data (an ‘epic tide’) produced by the systems. The result is that we need an easy way to capture, manage, analyze and audit information produced by the systems.
The emergence of security information management
Recently, security information management (SIM) solutions have emerged as vital responses precisely because they enable organizations to carry out and synthesize these tasks. SIM solutions can be flexible and scaleable enough to deal with all the different systems and manage the vast amount of audit data. Security information management has enabled institutions to monitor for security incidents and investigate incidents as they occur. And, SIM solutions can be easy and affordable to maintain relative to the alternative manual processes. Thus, SIM solutions have emerged as central to sustainable information security and compliance. And in turn, SIMs are essential elements of ensuring ongoing institutional credibility.
Application and insider risks drive new requirements
Over the past few years, networks and systems have been hardened with intrusion detection and prevention solutions, anti-virus solutions, spam control, patch management, firewalls, authentication, authorization, encryption and other technologies. In this environment, SIMs play the role of centralizing, managing, analyzing, auditing and archiving the data produced by the various network and server components. SIM solutions can monitor and audit for attacks of many forms, such as blended information security attacks or time-based attacks, which are conducted against systems in geographically dispersed locations. SIMs therefore centralize and operationally simplify the vast amount of security data that today’s financial institutions produce.
Interestingly, the most damaging and common information security threats are moving ‘up the stack’ to applications and insiders. While the perimeters of our networks have been hardened, applications are complex to completely secure, in part because human beings are nearly impossible to predict (and are very imaginative). Emerging information security incidents that can be highly damaging include selling customer records to a competitor, redirecting customer shipments for sale by a third party, identity theft (involving many techniques), manipulation of financial reports, and even collaborative fraud rings involving insiders and outsiders. It is only prudent that financial institutions identify these types of risks in their business and take steps to monitor for them and have tools and processes for when they occur.
SIM solutions must therefore be highly flexible for handling audit information from applications and network access points so that they can monitor for escalation of privileges, creation of super-user accounts and login failures to our important systems and access points. They should also provide the foundation for monitoring and auditing the complicated forms of application and insider security threats described above. Ultimately, financial services institutions – and indeed their stakeholders – will benefit profoundly by integrating SIM solutions into the fabric of their business.
Kurt Long is the CEO of EpicTide, Inc., a leading security information management solution provider. Kurt serves on numerous company and industry boards and is a recognized is a recognized expert in the authentication, authorization, audit (AAA) security industry. Prior to EpicTide, Kurt founded and served as CEO of OpenNetwork Technologies, a leading identity management software company. OpenNetwork was purchased by BMC Software.
EpicTide is a leading security information management solution provider. The company’s flagship product FairWarning helps organizations monitor for security events and streamline investigation processes by centralizing security events associated with their applications and systems.
FairWarning leverages a patent pending XML definition language to provide highly flexible support for an organization’s major applications and systems. This approach also provides the flexibility for supporting niche and in-house applications deployed throughout an organization. EpicTide FairWarning leverages open source software infrastructure to deliver a highly affordable, and manageable security information management solution. The company also offers FairWarning in a software-as-a-service model.
Security information management
Paul Stamp is a member of the Forrester Telecom and Networks team. He focuses on enterprise security technologies such as security information management, encryption technologies and network security appliances. His current research focuses on internal network security architectures, and approaches to handling sensitive data.
The role of the security information management (SIM) system has changed a great deal over the last few years. In the early days of SIM, customers were most interested in making sense of copious amounts of IDS data, and so strong correlation technologies were considered most important. However, more and more customers are now looking to their SIM products to help them measure the effectiveness of their security and compliance programs – they need their SIM tool to be able to aggregate, analyze and report data in a way that’s going to make sense to the wide array of people who will be interested in the data it manages.
However, once you take into account all the different requirements for gathering data from all the different systems and presenting it in the right format for all the people who are going to use it, SIM becomes a complicated business. SIM involves integrating different types of devices, re-engineering incident response processes and developing a wide array of report templates for diverse audiences. Thus, although base product license fees aren’t astronomical, SIM is still expensive to implement – meaning that most customers who deploy a SIM product will require it to aid all of the following:
• Security teams want to streamline the oversight process. Since information
risk management focused security teams delegate a large part of security enforcement
to the operations teams, they’re more focused on setting policy and overseeing
its effectiveness. Thus, they want a SIM tool that can tie together to give
an overall picture of the security posture of an organization. This includes
better capabilities for tying into reporting tools, and workflow features to
make sure issues can be assigned and tracked accordingly.
• Operations teams want technology that will help them in their ‘day job’. Many operations teams number security as just one of their daily tasks, and prefer to use as few technologies as possible to carry out their job. Whereas effectiveness in detecting threats is the main criterion for buyers, SIM tools that can incorporate features that aid in other areas like capacity planning and performance management prove popular with operations teams.
• Both groups need a SIM tool to help coordination interaction between them. Despite the division of day-to-day tasks between the security and IT teams, the two are still going to need to work closely, and will need SIM to help them share timely information, particularly at the time of an imminent threat, or during a security incident. This includes security knowledge repositories, and forensics capabilities to aid digital investigations.