February 2009 Archives

« January 2009 | Main | March 2009 »

Is your data protected if the company closes its doors?

There has been a lot of buzz in the press lately about what happens to confidential data when employees are laid off and, or an even worse situation, a company goes out of business. This brings up an important issue for enterprises who face stringent industry and government requirements for controlling and monitoring what happens to their information assets. Who is accountable for the corporate data amassed over its lifetime after it closes doors?

One way to keep an eye on your data when you are in business is to automate IT operational tasks for continuous assessment of the risk profile, to bring unusual activity to your attention. Our CEO, Pat Sueltz, discussed the simple and complex aspects of IT process automation with eWeek's editorial director, Michael Vizard, for a podcast this week. You can check out the podcast here.

“Trust but verify” is the mantra in our log management world. Although log management is but one of the defenses in your security armoire, it is an important building block to monitor user and system activities to identify and correct the gap between your security policies and the reality on the corporate network a.k.a the ground. Automated log management can also be extended for security information and event management, database activity monitoring and managing compliance workflows.

If you're looking for other ways to make sure customer and business data isn't literally walking out the door, consider checking out Network World's podcast, "Why ex-employees are stealing your data." The podcast discusses results from a recent study conducted by the Ponemon Institute, "Jobs at Risk = Data at Risk." According to the survey of 945 people who lost their jobs in the past 12 months, 59% admitted to stealing company data and 67% used their former company's confidential information to leverage a new job. A particularly interesting finding we noticed: only 37% of these individuals were actually asked to leave their jobs – the other two-thirds either found a new job or left in anticipation of lay-offs.

In other words, whether employees have ill will against a company or not, there is no excuse for not protecting and monitoring your data. Another article on the subject in CIO Magazine yesterday brings up the issues of private data being auctioned off in fire sales as companies go out of business and improperly disposes of their sensitive corporate and customer information.

The privacy policies that are communicated to external parties like customers, employees, and other partners almost always discuss it in the context of their business as a going concern. They even discuss how the information will be treated in the event of an acquisition or with their other subsidiaries. I have rarely seen them discuss what they do to your information if they just simply shutdown.

Data governance continues to be a challenge today. Disaster Recovery and Business Continuity plans are also more the norm than the exception today. But, if you are the IT Security team, have you given thought to how you would handle the corporate data (including all kinds of PII and logs) in the event of a company closure? As a consumer do we have any rights to the data and content we shared with this company during its life time? Shouldn’t it be just as natural for the company to be responsible here? Just as we plan our legacy in the event of a sudden life changing event in our lives …like wills and trusts?

Posted February 26, 2009 in Security | Permalink

« January 2009 | Main | March 2009 »

Log Management 'Triplets' To Protect Your Information

This morning LogLogic announced three (!) new product lines on a single day. So why is LogLogic entering the compliance management, database activity monitoring and security event management markets in these difficult economic times? First of all, because it can: LogLogic posted record revenues in Q4 2008 and nearly doubled it's customer base in 2008 from 400 to 714 customers. More importantly, LogLogic is expanding it's product line-up because, notwithstanding economic woes, our customers still want to do the right thing.

Doing the right thing means protecting patient information such as Larry Whiteside Jr., Chief Information Security Officer for Visiting Nurse Service of New York, who takes privacy and accountability in his organization very seriously. Doing the right thing for Chris Sawall, Supervisor, Information Security & BCP at Ameren is protecting our nations' critical energy infrastructure.

LogLogic's approach to log management makes doing the right thing cheaper and better. It is cheaper because our three new products share a common foundation: our open log management platform. Log data is collected only once and archival, indexing and search are not duplicated which saves much in terms of people time and system resources (such as storage, etc.). An integrated approach is better because different applications work together to prioritize and organize information in a way tailored to the task at hand. For example, our Compliance Manager product provides policy mapping and automates the log review required by PCI and SOX, whereas Security Event Manager automates alert prioritization and incident management.

A huge thank you to all at LogLogic who worked so hard to deliver these ‘triplets’ … It’s like being a new mom all over again. I am happy and exhausted. Also a big hand to our hero-customers, all 714 of them, and to some of the analysts who are speaking out about convergence in the security market:

"Log management and SIEM are not one in the same but both are equally important to corporate regulatory compliance and strong security protection," said Jon Oltsik, Principal Analyst at the Enterprise Strategy Group. "With this announcement, LogLogic adds a strong SIEM platform to its leading log management offering. This makes LogLogic a great one-stop-shop whether organizations need log management, security management, compliance auditing, or all three."

"Enterprise log management is a component critical to meeting the increasing demands of regulatory compliance," said Nick Selby, Vice President and Research Director, at industry analyst firm The 451 Group. "There is a clear trend of convergence amongst log management and enterprise security information management and security event monitoring products. We believe the integration of LogLogic's log management products and Exaprotect's security information and event management products will form the basis of a powerful product offering."

Posted February 17, 2009 in | Permalink | Comments (0)

« January 2009 | Main | March 2009 »

Database Security

By Dimitri McKay

If I was to hack your network, what would be my goal? Let’s say, for instance, that I get through your firewall. Maybe I exploit some buffer in your IOS to get through one of your firewalls. Maybe I come in over your VPN. Maybe I make my way into your office under the guise of being a “contractor”. What’s my goal? What’s my target? What is the treasure am I looking for?

In 1950 the FBI’s most wanted bank robber Willie Sutton was arrested. When asked why he robbed banks, Sutton simply replied, "Because that's where the money is.” - and I would relate that back to network security. The databases are where the money is.

I’ve consistently come across companies with a single focus in mind. “The perimeter”. They place so much emphasis on this single portion of security that they lose sight of the big picture. The big picture is of course, A good security system starts with a well-structured security policy. That policy needs to handle all aspects of security, from physical, to operational.

Too often system administrators are left to their own accord, managing the security of their systems with little or no oversight by a higher security administrator. This raises the following questions:

Who ensures system administrators are following security guide lines?
How does an organization ensure all system administrators are applying the latest patches?
What organization ensures that the latest patches have been tested to ensure they do not cause additional system faults?
Who performs security audits on the corporation as a whole?

Here’s some staggering statistics:
In November/08 - 338,000 records (Name/ DOB/ SSN) were stolen from University of Florida
In January/08 - 225,000 records (Name/ SSN/ Account numbers and balances) were stolen from the Davidson Companies.
In July/07 - 8.5 million records (customer data/ bank account and credit card information) were stolen from Fidelity National Information Services.

Where does private data live? Chances are, it’s one or more databases on the network. Databases hold PII (Personally Identifiable Information) which includes customer or employee names, their address, maybe their social security numbers and credit card info. If so, that’s the jackpot!

But how do you even know if you’ve been hacked? If I came over the VPN, would you know? If I breached your PII database, would you know? 3.5% of companies do NOTHING for database security.

For the average company, those who are security focused regarding their databases install a patch between 3 and 12 months after it’s released. For the rest of companies, patches are installed between 12 months and never.

Frankly, this scares me half to death. As a victim of identity theft (who went through the grueling process of fixing my post-credit-apocolypse life, which took years) it makes me sick that databases containing PII are the last thing people are even considering to log or patch or secure.

Most often, the push back from DBA’s is performance. Full logging using the default logging tools from any of your top tier DB’s is going to affect its performance. But there are other options. Options which offer database security without the performance hit.

If I was to hack your network your databases would be my goal. Whether I come in over the VPN, straight through your firewall, or under the guise of being a “contractor”, these databases need to be locked down. That should include, but not be limited to a segregation of the databases from the general public, the authentication of said databases being logged and maintained, and patches periodically installed when released. Not two years later. Databases are the treasure in your castle. They need to be protected.

Posted February 17, 2009 in Security | Permalink | Comments (0)

« January 2009 | Main | March 2009 »

Pat's Video Interview with ITPro

In the first part of the ITPro Q&A video, Pat (LogLogic CEO) talked about the direction of the company is taking to help businesses deal with the increasing volume and complexity of their data, and about bringing her industry expertise to bear and how the customer is always king.

Posted February 01, 2009 in LogLogic News | Permalink | Comments (0)

Visit loglogic.com