With the complexity of IT security systems and soaring incidences of attack, analytic techniques must be introduced to the information security arsenal to equip company executives to effectively mitigate and manage risk.
That's according to Annemarie Cronje, product manager for Operational Intelligence at SAS Institute SA.
She adds that company directors require systems to allow them to rapidly and effectively assess the security posture of their businesses. "Emerging laws and reports including the King II Report, the Electronic Communications and Transactions Bill (ECT), the South African Constitution and the Promotion of Access to Information Act (PROATIA) place new responsibilities on the shoulders of directors in terms of company security."
She explains that the introduction of these corporate governance measures makes the CEO and the board of directors directly responsible for the security status of the organisation. "Without tools that cut through massive volumes of data to give them a simple yet accurate picture of their security status, directors may be exposing themselves to serious liabilities."
The reality is that businesses face an alarming volume of information security threats.
"Viruses, hackers, crackers, worms, Trojans and many other types of malware pervade the corporate network," she says.
In an effort to combat the copious threats facing their information infrastructure, businesses have typically implemented many systems. Characteristically, security infrastructure comprises firewalls, anti-virus software and intrusion detection systems.
Additionally, access control, both physical and logical, forms an integral component of the security measures, while data from infrastructure management solutions contribute potentially valuable information that can be leveraged to ensure system integrity.
The trouble with the myriad of systems deployed to protect corporations from compromise is the sheer volume of data generated by monitoring the complete spectrum of network activity.
"Every system generates its own log file, many of which run into hundreds of pages daily. These log files must be analysed to identify anomalies and changes in network behaviour, which provide an indication of the occurrence of attacks," says Cronje.
"Directors may well find themselves overwhelmed with a mountain of data and no way to sift through the information to identify and act on salient information."
By establishing an IT security data warehouse, the full spectrum of information generated throughout the organisation, and even from the extended supply chain, can be collected into a single repository. In this repository, every security-related incident from systems across the organisation is assimilated and can be analysed to provide an instant, accurate picture of security status.
Information is collected from operational IT security systems such as firewalls and intrusion detection systems, performance data is assimilated from operational IT systems such as servers and PCs, and data from business-related and other non-technical information such as HR systems is also gathered.
"Long-term retention of the data can be leveraged to profile 'normal' usage patterns and identify exceptions, and equip executives for the handling and prevention of threats," says Cronje.
From a security/risk dashboard, line management and executives can instantly and accurately assess their security status for statutory compliance, as well as providing an effective benchmark for data insurance purposes. "Additionally, companies looking to electronically integrate with trading partners are able to rapidly provide a benchmarked security assessment to demonstrate their security posture," she adds.
By applying data mining techniques to the assimilated data, companies can also begin to treat security proactively. "Data mining enables forecasting what may happen in the future, classifying and clustering events into groups by recognising patterns and attributes, associating what events are likely to occur together and sequencing what events are likely to lead to later events. Data mining can be used in intrusion detection to identify what is normal and what is not, allowing for the rapid identification and prevention of intrusion threats," she says.
Cronje notes that effective security management has to take into account the full spectrum of the technology environment, within the context of security policy and standards, and taking cognisance of the security architecture and processes. "Analytical techniques enable executives to view the entire security situation at a glance. They can audit, monitor and investigate security across the board, while effectively validating their security posture for regulatory compliance."
Share