« March 2009 | Main | May 2009 »
User Monitoring: Sacrificing the privacy of few to protect the information of many?
Or: How far should IT managers go to protect corporate data?
By: Dominique Levin
VP Marketing & Strategy
A conflict is brewing in corporate America that rivals the ethical debate between philosophers such as Immanuel Kant (footnote a) and James Stewart Mill (footnote b). How far can companies go to protect data? Can companies play “Big Brother”, violate employee privacy and monitor employees in order to protect data? What if the act of violating employee privacy actually protects the privacy of many more? For example, what if monitoring nurses protects the privacy of patients’ healthcare records?
Immanuel Kant might have said that ethics are absolute and you cannot violate the privacy of employees, even if monitoring of employees would result in ‘greater good’. James Stewart Mill on the other hand might have chosen the ‘greater good’ and sacrificed the privacy of few, consenting, employees (you can always go work somewhere else) to protect the privacy of many.
In a April 28, 2009 Network World article, appropriately titled “Can you no longer avoid closely monitoring employees?” one IT manager speaks openly about the delicate balance of real-world information protection. "There's a balance," says Max Reissmueller, senior manager of IT operations and infrastructure at Pioneer Electronics USA Inc. in Long Beach, Calif. "I wouldn't want managers coming to me to keep an eye on a particular employee, wondering what they are doing every minute." At the same time, Pioneer is determined to protect its intellectual property, customer-service lists and other sensitive data." I don't want a disgruntled employee trying to take a bunch of information," Reissmueller says.
Gartner Inc. analyst John Pescatore agrees and says the key word to think about is how "closely" to monitor employees. In other words, it’s not about watching every employee’s every move, but it is fair to protect an organization’s crown jewels, and it is perhaps even mandatory to protect the personally identifiable information entrusted to an organization by its customers.
Sarah Cortes is a former senior security executive at a financial services firm with $500 billion in assets under management and over 20,000 employees. In her blog “Database logging and privileged access control” of April 21, 2009 she recounts that each morning, she would take responsibility for reviewing lists of accounts with privileged access to high-risk data. This means reviewing the lists of people with access to “High Risk” data such as customer balances and account values.
She reminds us that ship captains have long started their days by initialing log entries.
If the task of reviewing lists of privileged users and their access patterns sounds daunting, then perhaps you have given too many people access to sensitive information. Sarah has some very simple rules of thumb:
Even at an enormous firm, the number of privileged IDs with access to high-risk data should be short enough for a busy executive to personally review
The number of people with write access to “High Risk” data should be between zero and three and you should know those people by name very well
It is both feasible and reasonable for senior executives to personally review this information and record that they have done so
There are no specific standards or frameworks telling you how to create these reports Sarah is talking about or what to include. Regulatory frameworks indicate only that this type of review in general should be defined by each organization and put into place. Whether it is daily, weekly, or monthly, and what exactly it includes, will be up to each organization, compliance officer and CISO, depending on its businesses and risks.
Here are some general considerations for specifying these reports:
1) Define “High Risk” information for your organization. Start small by defining only the most sensitive information.
2) Identify the “Data Owner” for each category of “High Risk” information. The data owner is the executive who will review the lists of privileged users and their actions.
3) Locate database tables and directories with “High Risk” data. This is more difficult than it sounds, but new technologies make it easier.
4) Audit user accounts with access rights to this data. Who should have access to “High Risk” data? You may want to reduce the list to a manageable number. Also, you probably want to generate a report specifically showing any new privileged account creations and privilege modifications to ensure these are authorized.
5) Audit access to database tables and directories with “High Risk” data. Create automated daily reports to be sent to the Data Owner. Individuals accessing the system should be aware that access is monitored and reports are reviewed. Ideally, individuals who access controlled systems should not have access to update or modify the scripts and/or software the produces the security reports.
6) Include all changes to “audit” status. Don’t forget to also generate a report that will tell you whether in the prior 24 hours audit logging was turned on or off.
Foot notes:
(a) Kantian Ethics. Immanuel Kant encouraged choosing the right, moral path regardless of the consequences. Even in circumstances that would render negative consequences as a result of pure intentions, Kant argues that one should adhere to pure intentions and that their maxims should always reflect those intentions.
(b) John Stewart Mill’s Utilitarianism. Stripped down to its essentials, utilitarianism is a moral principle that holds that the morally right course of action in any situation is the one that produces the greatest balance of benefits over harms for everyone affected.
Posted April 29, 2009 in | Permalink | Comments (0)
« March 2009 | Main | May 2009 »
LogLogic Buys Exaprotect: 3 Reasons Why Customers Win.
By Dominique Levin
VP Marketing & Strategy
Last week LogLogic announced its intend to acquire Exaprotect. In February we had already announced a partnership with Exaprotect to deliver the LogLogic Security Event Manager. In February we also announced LogLogic Compliance Manager, which has since shipped to the general public, and LogLogic Database Security Manager, generally available later this quarter. Now we have added the Exaprotect Change Manager product line. In a mere couple of months LogLogic went from a singularly focused company with leading log management platforms to having five product lines working together to form the most complete security management suite.
So how does this all benefit customers? The combined product portfolio answers 3 simple questions for customers:
What is happening?
What is important?
What to do about it?
1. What is happening? Log Management and Database Activity Monitoring.
It all starts and ends with log data. You cannot secure or manage what you cannot see. Therefore, first focus on building a central repository of user and system activity. You do this through aggregating, summarizing and archiving log data. Log data can tell you who are accessing your network, systems and even who are seeing, changing or moving individual information objects. Per a recent SANS survey, 99 percent of customers are collecting (or planning to collect in the next year) some log data but for many it is work in progress. Virtually all collect network data (“who is accessing my network?”) and most collect system-level data (“who is accessing my systems?”). For most companies even collecting a complete activity record remains a work in progress. Leading-edge organizations are now turning their attention to understanding activities around business applications, transactions and monitoring access to specific sensitive information objects. This is particularly true for structured information in databases. Databases are a one-stop shop for valuable data. Organized criminals are targeting sensitive data in databases to sell for $300 per record. Since the data is structured, you know where it resides and you can monitor access to these specific records. LogLogic expanded into database activity monitoring with a specialized database sensor. The sensor sees more than you would through native logs, including activities that are triggered by stored procedures, obfuscated queries and such. This is great as a stand alone product, but at the end of the day, database activity should be analyzed in context with all other activity data – hence the convergence of log management and database activity monitoring.
2. What is important? Compliance management and security event management.
Just having the data on a pile is of course not enough. Once you have a central record of activity, you need look at this information. Few organizations are proactive about this. LogLogic compliance management and security event management applications can help. LogLogic Compliance Manager is about deciding who should be looking at what log data when and then enforcing such log review process through software. Compliance is a collaborative process and Compliance Manager facilitates collaboration on pro-active security. It productizes best practices, presents reviewers with an easy in-box of log review tasks and the ability to annotate and score activities. Ultimately the log review scores roll up into a dashboard that presents executives with the overall timeliness of review and a compliance score. It is still human beings who do the bulk of the actual analysis. LogLogic Security Event Manager goes one step further and uses cross-device correlation and contextual analysis with vulnerability and asset data to prioritize suspicious activities automatically. For example, access to a HR database followed by a large e-mail sent, could be suspicious and needs to be investigated immediately.
3. What to do about it? Change management and database security.
Contextual analysis of log data is cool and it can go a long way turning raw log data into actionable information and even into recommendations. However, security Nirvana would be self healing. Increasingly software could make automated recommendations and predictions about unusual and suspicious activities and could prevent bad things from happening in the first place. LogLogic Change Manager and the LogLogic Database Security agent both have the ability to enforce security policies. Most customers aren’t quite ready to automatically re-configure a firewall policy based on a security alert, but at some point in the future as predictions become more accurate, automatic remediation will become a reality. One area where automated prevention is a reality is in database security. About 20% of database security customers also turn on active blocking. It makes sense that blocking would be more prevalent with systems that can do fine-grain monitoring. It is tricky to kick somebody off the network wholesale based on a security alert. There are still too many false positives. If you get it wrong you seriously hurt productivity. That is not a good thing ever, but especially not in an economic downturn. Most organizations prioritize productivity over security. It is much more acceptable however, to block access to a specific piece of information based on suspicious activity.
In summary, with the addition of Exaprotect, LogLogic can better protection information at a lower cost. This is good news at a time that few customers can afford to maintain the staff and budgets to integrate many disparate point products. Unified security management also leads to better information protection. Pro-active security monitoring (LogLogic Security Event Manager and LogLogic Compliance Manager), combined with fine grain monitoring (LogLogic Database Security Manager) leads to more accurate prevention (LogLogic Change Manager and LogLogic Database Security Manager) and better information protection.
Posted April 27, 2009 in Compliance , Log Management & Intelligence , LogLogic News , Security | Permalink | Comments (0)
« March 2009 | Main | May 2009 »
LogLogic and Exaprotect Make a Winning Team
By Pat Sueltz
President and CEO, LogLogic Inc.
Today we announced that we have signed a definitive agreement, subject to customary closing conditions, to acquire all of the outstanding securities of Exaprotect. With this acquisition, we will unify previously disparate point solutions to create a powerful new security management suite for the benefit of enterprises. It’s a major milestone for LogLogic and for the industry as a whole.
The “lowly log” is increasingly becoming the “luminous log” as it provides visibility and illuminates user and system activities, necessary to create transparency in enterprise operations. We’re now starting to build on top of the open log management platform by adding Exaprotect’s security event manager and change manager products in addition to our database security manager, which will be generally available in May.
So what does this fusion of LogLogic and Exaprotect mean? Simply put, it’s a catalyst for innovation.
First, it means that LogLogic will continue strengthening its open log management platform, which enables customers to collect, search and store 100 percent of IT log data for a comprehensive fingerprint of past and current activity across any organization.
Second, we are adding Exaprotect’s correlation engine to the mix as we add the security event manager as one of our log-powered applications©.
Third, Exaprotect’s award-winning ChangeManager will play a significant role as it provides a centralized, multi-vendor capability that provides an easy-to-use graphical interface to automatically create the end-to-end design and generation of network security policies for Firewalls, Routers, VPNs, and IPS’s.
Finally, with the combination of Exaprotect Security EventManager, ChangeManager and LogLogic’s entire suite of offerings, LogLogic will provide a powerful security suite that enables a mid-sized company or enterprise to easily capture, analyze and report on all information derived from all the logs of a company’s networks, systems, databases, and applications. We have all the log data, which comprises 33% of a company’s information. And, we turn the data into understandable information – for the analyst to the C-level executive.
When acquisitions happen, typically a great deal is said about product synergies and too little about the people. In my experience, it is all about the people. Over the course of building our partnership and working through the acquisition, I have gotten to know the principals of the Exaprotect team. I know that we share core values such as integrity, work ethic, teamwork and, above all, an extraordinary passion for customer success.
Our proven ability to execute in the market, incorporated with the outstanding ability of Exaprotect to create highly differentiated and innovative solutions, will be a powerful combination. Check back here for more information as we continue to integrate our technologies and grow.
Posted April 22, 2009 in | Permalink | Comments (0)
« March 2009 | Main | May 2009 »
Together, LogLogic and Exaprotect will leapfrog the competition
By Jean-Francois Dechant
President & CEO, Exaprotect
It is with great pleasure that I would like to announce that LogLogic has signed a definitive agreement to acquire Exaprotect. This is a great opportunity for Exaprotect, our partners and customers alike. The transaction will give us the opportunity to help LogLogic become the number one player in the Enterprise Security Management market.
In case you aren’t familiar with us, let me take a moment to introduce Exaprotect. Before founding Exaprotect, I owned a managed security services company. I was constantly searching for an effective security event management technology I could offer my customers. After years of coming up short, I finally decided to build my own solution. Thus, Exaprotect was born in 2004.
Exaprotect has two products that will serve as strong complements to LogLogic’s suite of log-powered applications. First, is EventManager, which is currently available as LogLogic Security Event Manager. You might wonder why it’s worth looking into yet one more SEM solution. Here’s why:
Exaprotect’s EventManager is a plug-and-play appliance that includes a patented event taxonomy for correlating and classifying events according to a prioritized hierarchy. The taxonomy includes every possible action that could occur across your network and our asset model is pre-configured so you can easily identify and prioritize security events. It also has a natural language overlay that greatly simplifies rule definition and cuts down on white noise by a factor of 100x. While most SEM providers require an external database and dedicated DBA to manage the overwhelming amount of non-threatening events they trap daily, EventManager can stand on its own because we sort through false positives right away.
You can also aggregate a string of related incidents into one discreet attack so you can easily identify and remediate “Attack on HR database,” rather than having to sort through a series of IP addresses to see how various events fit together. We also enable asset tagging for compliance. If you need to be PCI compliant, our database will know which assets to monitor for you.
Introducing LogLogic Change Manager
The other product you’ll be seeing soon from LogLogic is a one-of-a-kind product called ChangeManager. It will be available as LogLogic Change Manager once this acquisition is complete. It automates the manual process of keeping all network configurations, including firewalls, routers, switches, VPNs and IPS’s current with your latest security policies. This saves a lot of headcount and a lot of headache.
Most often, IT security and network administrators are tasked with configuring network devices multiple times per day. Depending on what equipment they’re using, new rules must be written and managed separately for each vendor product. That means, if you have equipment from Cisco, Juniper, CheckPoint, Fortinet, and others mashed into your IT infrastructure, each must be configured separately. As you can imagine, this leaves plenty of room for error. Our vendor-agnostic centralized configuration manager enables folks to manage all of their network configurations in one place so you don’t have to make separate adjustments by vendor.
ChangeManager enables IT admins to act fast when a breach occurs. For example, to change configurations, you only have to write one policy, such as “isolate transaction server if there is a virus attack,” and our system will translate that into device-specific rules. You can have 20 devices between points A and B that need to be reconfigured and ChangeManager will know what to change and how to change it automatically. We include a workflow so you can set up policies ahead of time and ask management to sign off. Then, when EventManager detects a legitimate attack on your transaction server, the alert will be sent and ChangeManager will fix it right away. This helps us close the security management loop, as we not only passively monitor, but actively adapt your network to manage and protect against incoming threats.
As you can tell, I take pride in the technologies Exaprotect has developed over the past five years. We were founded out of a real need to go beyond the broken promises security event management companies keep making about solving customer problems. At the end of the day, if you’ve got 100x white noise and only one legitimate threat, you can’t effectively monitor or manage your network. When you think about the rising threat of privileged users who can often slip buy archaic SEM solutions, why invest so much when you get back so little?
I look forward to promoting our technologies through the premium “LogLogic Execution” capabilities already demonstrated by their leadership position in the log management space. We will then provide our joint customers and prospects with outstanding security management technologies through a unique portfolio of products and become the leader in this space!
Posted April 22, 2009 in | Permalink | Comments (0)
« March 2009 | Main | May 2009 »
Coviello from RSA on inter-operability to reduce cost of Security
The best security is inter-operable and ultimately embedded
Art Coviello, EVP EMC Corporation and president RSA, the Security Division of EMC today delivered a key note at the America’s Growth Capital Security Conference.
Art summarized the priorities of the Chief Security Officer community:
- Reduce the cost of security
- Make the enterprise more secure
- Help with governance, risk, compliance
5% of IT spending is being spent on security – the costs of security are out of hand because of the increase in the number of web applications, the amount of information that needs to be protected. Over the same time period the fraudsters have become much more sophisticated.
How can you get the cost of security down? Art shared that he is not a believer in a big inter-galactic governance, risk and compliance, but rather recommends that organizations automate smaller pieces of the puzzle and then ensure those pieces inter-operate. LogLogic agrees and is the first to have released a product that automates a piece of the governance, risk and compliance puzzle: the review of monitoring controls.
Art also gave an example about inter-operation from the security event management industry:
“Picture a security information event management system that can correlate from a vulnerability system and tie that to data loss prevention and identity based information. It would be great if you can see a Sharepoint site with unencrypted information on it and important information and the server hasn’t been patched for a month and you know that you don’t have a high level of assurance and trust for the person who is accessing that site.”
In the case of LogLogic, our partnership with Exaprotect is aimed at achieving correlation Nirvana as described above.
Art’s end-vision for security goes beyond inter-operability to a world where security is embedded into the overall IT infrastructure. Art said two years ago that security industry would come to an end. The idea being that the more you can embed security (and integrate it into the overall operations) the better you will be able to react to the circumstances at hand and the external threat landscape.
Clearly the security industry is still thriving (and Art still has a job), but Art’s points on inter-operability are very well taken and open standards are the key to success securing a dynamic IT infrastructure, especially in the age of virtualization and cloud computing.
Posted April 20, 2009 in | Permalink | Comments (0)
« March 2009 | Main | May 2009 »
Healtcare protection is getting teeth by 2010
By Dominique Levin
EVP Marketing and Strategy
By February 2010, healthcare providers and others handling protected healthcare information need to comply or face stiff penalties ($1.5 million per year) and potential criminal prosecution.
HIPAA's other major change for covered entities is they must now disclose if and when they have a security breach and client data is exposed. All users whose data has been lost must be notified, and if more then 500 individuals' data is lost, the organization must notify the Secretary of the Department of Health and Human Services (HHS), who will publicly post the breach on the HHS website. Under HITECH, business associates (those handling protected healthcare information that are not healthcare providers) are subject to the same civil and criminal penalties as covered entities, as well the disclosure requirements outlined above.
More specific guidelines by Secretary of Health and Human Services are due by the end of this week so stay tuned, but important lessons can be learnt from past audits by the U.S. Department of Health and Human Services. In March 2007, the department audited the information security practices of Atlanta's Piedmont Hospital to determine whether the facility met HIPAA requirements. The audit revealed several areas in which the hospital failed to comply. That was just the beginning; recent HIPAA-related fines imposed on Providence Health & Services and CVS Caremark Corp. have caused many organizations, hospitals, healthcare clearinghouses and business associates to take HIPAA compliance more seriously.
Some lessons learnt are articulated clearly in a recent Search Security article:
In a nut shell:
- 1) Establish clear organizational responsibility for ensuring the security of the protected health information
- 2) Only accessible to those who have a business need
- 3) Stored and processed on systems that are strictly controlled and backed up
- 4) Monitored during all access
- 5) Only moved to authorized locations and is encrypted in storage and while transmitted on unprotected networks
An important part of maintaining control over PHI is knowing who has had access to the information. HIPAA requires that all access to protected information be monitored. This means that systems and applications that provide the access need to be instrumented to capture access events. Further, an organization needs to look at its captured log information regularly.
Our recent survey with the SANS Institute revealed that many organizations now take log management very seriously and, in fact, are collecting and archiving log data. The rub comes with the second part of the log management requirement: “an organization needs to look at its captured log information regularly”. This is much harder than it sounds.
LogLogic has worked with its blue-chip customer base to make period log review easier and to this end we today released a workflow automation product called Compliance Manager. Compliance Manager guides compliance administrators through the process of deciding who should review which log information and how frequently, guides reviewers through their daily tasks and rolls this all up for auditors and managers alike to evaluate overall adherence to the compliance process.
Posted April 16, 2009 in | Permalink | Comments (0)
« March 2009 | Main | May 2009 »
Log management and SIM go well together
by Lex van den Berghe
LogLogic Customer Evangelist
We recently announced three new products to help enterprises unleash their log power and gain more business value from logs. One of our customers in the mid-market, Visiting Nurse Service of New York, agrees that logs can help enterprises address a variety of business problems.
In an article for SearchCIO.com, Larry Whiteside, Jr., Chief Information Security Officer at Visiting Nurse Service of New York (VNSNY), talked about how our mid-market log management appliance combined with two SIM boxes from Symantec have helped him build a well-fortified information security architecture that enables him to "communicate effectively with his business peers on issues that matter most."
VNSNY is the nation's largest not-for-profit home health care provider in the country. It faces various compliance regulations, such as HIPAA, PCI and SOX. Larry wanted a real-time record of activity on the network and a way to correlate various streams for an intelligent picture of events, from the firewall to the desktop. A former security expert with the U.S. military, Larry arrived at VNSNY with a log management tool from RSA already in place, but it was not configured and unmonitored. When his customer service inquiries to RSA went unanswered, he decided to consider us.
Here's a little more detail from Larry's interview with SearchCIO:
"I wanted to be able to do that level of querying in my most chatty areas, which are the application and system logs," he said. "LogLogic has the best querying engine to get down to system-level events."
In Whiteside's architecture, the LogLogic tool collects and normalizes the systems and application log files. One of the Symantec SIM boxes collects and normalizes all the network-based log file data -- from firewalls, intrusion prevention devices, routers and so on. The second SIM box takes all the normalized data from each machine and correlates it with rules determined by Whiteside's team.
Because the SIM dedicated to correlating events is not bogged down by the collection of events, "the amount of rules I can normalize against is just astronomical," he said. The Symantec SIM also comes with a threat awareness tool that telegraphs current threats to people authorized to receive them.
And, he adds, his hybrid solution is designed to be self-managing -- unlike SIM boxes that sit on servers that need to be managed, like those from industry leader ArcSight Inc. ("the most intuitive GUI in the industry, but their back-end technology is lacking").
Indeed, his goal is to have every application and every server inside his environment reporting through this architecture, with automated correlation rules, he said. Based on the criticality rules his team sets up, the system will send alerts to everyone who needs to know when something happens.
He figures it would take a full-time person to do the work his log management tool does in four hours per week.
It's really great to see when our solutions work exactly as intended for customers. In the case of Visiting Nurse Service of New York, an early adopter of the MX appliance, the openness of our log management platform made it pretty easy for Larry to build his own security information architecture and integrate with solutions from other vendors.
Got a log management story you'd like to share? We are always stoked to hear about product implementation and use case stories from our customers – please share with us and other LogLogic customers through our Developers Network at http://open.loglogic.com or click here to contact me directly.
Posted April 15, 2009 in | Permalink | Comments (0)
« March 2009 | Main | May 2009 »
Can Government Intervention Help Prevent Data Theft
By Dominique Levin
EVP Marketing & Strategy
I was talking to a reporter today about a new California law that will require businesses to disclose data breaches and provide consumers with enough information to determine if they're at risk of harm. This is a problem I've experienced personally as I got a letter one day from my brokerage firm informing me that my account may have been compromised. At the time, however, the letter didn't offer any guidance for whether than meant I should go through the tedious process of cancelling my account and creating a new one or just hope that no one would steal my information.
The reporter was asking whether government intervention will be too intrusive for businesses or whether it would be a boon for consumers.
Processor.com reports: California Sen. Joe Simitian is looking to expand a data breach notification law that was introduced six years ago with a new bill called SB 20. The bill would require companies to report data breaches not only to customers, but also to the state’s attorney general. Simitian’s hope is that by reporting data breaches to a central authority, California residents and officials would get “a better understanding of the nature and scope of the problem.” According to Fred Cate, a law professor at Indiana University, only one in 10 data breaches are made public, and overall, there is very little data about data breaches.
While Senator Simitian is pushing for greater transparency around data breaches to help law enforcement, researches and others to better understand the nature of each new data breach, he is opposed to mandating compensation for consumer victims, as he believes it would deter companies from reporting new breaches.
While I do think mandating more transparency is a good thing for the government to do, disclosure alone is not enough. Disclosure means reporting breaches you know about – so why not just look the other way? Also, in some cases, companies do disclose a major data breach, but only a year after it actually happened. You gotta be kiddin … Clearly, disclosure isn't the full solution to this problem.
Beyond disclosure, the government should focus on requiring companies to implement basic preventative measures to help protect their information assets. This type of legislation would need to be accompanied by fines that are higher than the cost of implementing preventative technologies. Otherwise, it won't work.
Let’s go back to TJX. 45.7 million credit and debit cards got compromised. TJX received much bad press for having the largest data breach in the world ever. You would think they do everything to prevent future breached? You would think they would put basic security best practices in place? Not so. 18 Months after the breach TJX fired an employee who disclosed that basic security measures had still not been taken … 18 months later. We are talking about things like being able to login to servers with blank passwords or running machines unnecessarily in administrator mode.
Let’s take a lesson from the Payment Card Industry Data Security Standard (PCI), which was hardly effective until the major credit card companies implemented heavy fines for non-compliance. The truth is, without big fines, nobody pays attention to best practices.
Of course, in order to be able to raise fines – there would have to be a mandated audit, as there is with PCI and in order to audit there needs to be a pretty specific yard stick for compliance. PCI is a good example because it is specific about the preventative measures it wants credit card processors to implement. You cannot manage what you cannot measure but with specific requirements in place – the credit companies were able to mandate annual audits and implement heavy fines for non-compliance. Along with PCI there are now also detailed check lists that outline how and in which order security measures should be taken.
Very helpful.
Ironically, many companies actually have some of the best prevention tools right under their nose. LogLogic sponsors an annual survey by the SANS Institute on Log Management. Log Management is a user monitoring technology that can detect user activity including access to sensitive information. Just this week the SANS Institute published the 2009 version of this survey which revealed that 99% of organizations already collect logs or plan to implement log management.
Good news? Maybe. Collecting log data is one thing and looking at it yet another. know my pal Anton has written about this in the past. I couldn’t find his posting on the subject but he has written recently about a hearing in the House of Representatives on PCI. Fascinating stuff: basically the government believes that credit card companies must do more to protect cardholder data and the merchants want to do less. Still: the credit card industry is light years ahead of other industries. Is credit card information really more important than the tax information the IRS hold on me? Just an example for tax season.
PCI like regulation for all who handle personally identifiable information would be a great next step after disclosure laws. Let's face it, left alone, what business will truly invest in state of the art security strategies if it believes the risk is very low and isn't held accountable for doing everything possible to protect customer information?
Posted April 08, 2009 in | Permalink | Comments (0)
« March 2009 | Main | May 2009 »
Time to Protect Health Information
By Dominique Levin
EVP Marketing & Strategy
The stimulus plan includes $19 billion for healthcare technology to accelerate electronic healthcare record adoption. Many health-care providers -- physician practices, testing facilities, hospitals and clinics – fear liability if private information gets into the wrong hands with these new electronic systems. The legislature shares these fears and is tightening the requirements of notification of breach of “protected health information” (PHI). If there is reasonable belief PHI has been breached, providers must within 60 days put out a notification and include a notification through prominent media outlets (if more than 500 individuals have been affected). The HIPAA security standards are also in effect and include civil and criminal penalties.
A couple of weeks ago, I attended an interesting event at Pillsbury (the law firm) regarding the Health Information Technology stimulus plan. It became clear that there still is some time to sort out the security of “Protected Health Information (PHI)”. There are many hurdles to overcome before widespread adoption of electronic health records is a reality and most of these hurdles have nothing to do with security.
- The good news: The Healthcare Information and Management Systems Society (HIMSS) analytics report card says that as of 2008 75% of hospitals have electronic healthcare records or are installing electronic healthcare records systems.
- The bad news: Many hospitals are in the fifth year of a three-year electronic healthcare records implementation. None of the efforts of the government to speed up the adoption of electronic healthcare records appears very successful:
Stimulus isn’t stimulating
Hospitals which haven’t already started to implement electronic healthcare records may not start to do so because of the stimulus money. The total stimulus for Health Tech and specifically electronic healthcare records is $19 billion, but if you break it down it means about $4 to $ 6 million per hospital (up to $11 million technically). Experts fear that the amount is too small compared to the total costs of implementing electronic healthcare systems. Also, the downside of doing electronic healthcare records wrong is much more severe than the upside of getting it right. It could lead to patient death, for starters.
A stick that doesn’t hit
Since the audience agreed that the carrot of the stimulus is not that strong, so what about the stick? Hospitals tend to be more concerned with the potential penalties that accrue if they don’t do something. There is a proposal for reduced reimbursement on Medicaid - up to 5% – if hospitals aren’t meaningful users of electronic records. Will congress actually allow those penalties to kick-in? Historically, when-ever there is a proposed reduction in Medicaid reimbursement as a stick – congress has decided to push out the deadline as it came close.
And nobody to sue
Since there were a lot of lawyers in the room, a question was raised whether perhaps patients should start to sue hospitals without electronic records because they are not up to snuff with the “standard of due care” – when all other hospitals have such systems? Negligence is a question of foreseeable consequence. I guess that is lawyer speak for “not so easy”.
Some more bottlenecks in electronic healthcare records adoption:
- The hospitals are actually adopting electronic healthcare records, but what about individual doctors? It is expensive to adopt these systems – typically $125,000 or more oven five years and the stimulus covers no more than $44,000.
- Many doctors' offices and smaller hospital systems have held back from adopting available systems because of the cost and because they don't know whether the one they choose ultimately would comply with federal standards around electronic record exchange.
- And yes, then there are the thorny issue of data security and privacy. These are real problems as evidenced by Kaiser’s firing of nurses over privacy violations. However, since adoption isn’t exactly accelerating, there is some time still to solve these problems.
Posted April 06, 2009 in | Permalink | Comments (0)
« March 2009 | Main | May 2009 »
Gartner Says We’re Cool!
by Lex van den Berghe
LogLogic Customer Evangelist
For years, we've been drinking our own Kool-Aid, saying that log management is cool. It's more than just a check box on your list of regulatory compliance initiatives – at LogLogic we turn water into wine by collecting all sorts of information from every machine in your business and we make sense of it. Once you know what's in your logs, you can get a better idea of your security and operational posture. Just as business intelligence (BI) systems help enterprises make sense of endless streams of data, we take the Tower of Babel and translate it into one language.
If you don't believe me, check out Gartner's new report, "Cool Vendors in Storage Technology and Systems, 2009," published last Monday by a variety of Gartner analysts and researchers. The report says, "“Bandwidth reduction and greater safeguards against internal and external threats via log management will result in cost savings to the customer in time saved and threats avoided.”
We are the only log management and security company included. Why? Without log management, 30% of an enterprise's data would be lost. It would literally slip through the cracks. While other companies have focused on starting with the security perimeter to protect information assets, we have always focused on the "lowly log" as the root of the challenge, and that means collecting every single piece of information possible. How else would you get a comprehensive picture of what's happening to your data?
So, how do we store and help you search all of that information, which is often more than a terabyte of new data each day?
First, we've started with a Linux appliance that can be deployed on premise, as a managed service or even as a virtual appliance. From there, customers have a wide range of options and flexibility to use our compliance suites or build their own applications on top of our platform to gain back value from their logs. But, we didn't stop there. By building a solid logging foundation, you can monitor and manage security events, database activities and regulatory compliance for any industry. You can search for events just like you would search for information using Google, and you can do it in a fraction of the time it would take you to manually process this information or to deploy multiple solutions from multiple vendors.
The truth is, logging is cool. It's time to jump on the bandwagon if you haven't already – check out our latest article on the convergence of security information and event management (SIEM) and log management in Network World.
Posted April 01, 2009 in Innovation , Log Management & Intelligence , LogLogic News | Permalink | Comments (0)
March 2010
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 |
Categories
Archives
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005