www.freefoto.com

« Back to previous page

24 August 2009

LogRhythm's Ross Brewer warns that if organisations are to retain control of their own IT systems, they must have complete visibility and knowledge, not only over who's doing what but also why, where and when it's happening. This is not rocket science, this is security 101

Security breaches continue to be big news. They can come in any shape or size – from a disgruntled employee downloading commercially-sensitive data onto a USB stick to a full blown virus or worm attack from an external source.

But whatever the scale or source of the breach, the impact can have serious repercussions on the business – from operational, reputational and financial perspectives.

Security threats are a constant and IT departments work hard to protect organisations both from external attacks and internal threats.  But in many cases, these teams are on the back foot as unscrupulous individuals continue to find new means of by-passing any security measures in place.

Preventative action such as firewalls or ever-changing passwords can only go so far.  It is therefore vital that organisations know exactly what is happening across their network in real-time so that any irregularities can be flagged as soon as they occur, not after the damage has been done.

All too often however, security breaches are identified after the event, when it's too late to act.  Trying to trace back to find out exactly what happened, and how the operation has been impacted, can be costly and time consuming - all of which can delay rectifying the problem further.

However, every company in the world has the key to monitoring network activity and examining historical actions right under their noses.  Many of them just haven't realised how to unlock it.

Millions of logs and audit trails are generated daily by every IT related action – legitimate or not.  However trawling through such vast amounts of data to identify potential security threats is a daunting task which can take days or even weeks. This is where log data and event management solutions such as LogRhythm comes in as they provide real-time data analysis so that organisations can see who is accessing what, as and when it happens so that appropriate action can be taken as quickly as possible.

Centralised logging and security event management platforms take on the function of automatically monitoring and securing all activity logs while reporting and alerting on activities that warrant attention.  For example, if a domain controller machine is repeatedly attempting to log-on to the network several thousand times a day, is a virus attack occurring?  Likewise, if new administrator accounts have suddenly been created, does this mean that unauthorized people may be gaining access to privileged information?

Without such systems in place, corporate and government organisations have no means of identifying, investigating and preventing malicious behaviour until it is too late.

Compounding the problem further is the current economic climate which has triggered increased levels of staff turnover in many organisations.  In many cases, this turnover can be attributed to redundancy or employees looking to jump ship if there is a level of uncertainty surrounding the company.

There is no way of telling if a departing employee holds a grudge against the company which may encourage them to create havoc on the network.  Alternatively, what about the employee who, through no particular malice, decides to upload company sensitive information as it may help them secure a new role with a competitor?

While log data and event management software can flag any unusual user activity on the network, technology is only one part of the story.

Companies also need to have clear policies and procedures in place for when personnel at all levels leave the organisation – either voluntarily, through redundancy or dismissal.  For instance, at what point are their access rights reduced or removed?  Should there be increased levels in monitoring their activity in the run up to their final day at the company? Having such plans in place means that there is less likelihood of someone slipping through the net further down the line.

If, after reading this, you still believe that your company is immune to security incidents, the wake-up call should be the seemingly never ending flow of high profile stories in the media relating to the subject.  These prove that security threats are never going to disappear.

So, if organisations are to retain as much control as possible of their own systems, it's vital that they have complete visibility and knowledge, not only over who's doing what but also why, where and when it's happening.  This is not rocket science, this is security 101.

Ross Brewer, vice president and managing director, LogRhythm EMEA

About LogRhythm
LogRhythm provides enterprise-class log and event management, file integrity monitoring, and endpoint monitoring & control in a single integrated solution that empowers organizations to comply with regulations, secure their networks, and optimize IT operations.  LogRhythm has received the Best Buy award, a Five Star rating and the Reader Trust Award for SIEM (Security Incident/Event Management) from SC Magazine. LogRhythm is privately held and based in Boulder, Colorado with European Headquarters located in Maidenhead, England. For more information visit: www.logrhythm.com.