If a data breach occurs, being able to pinpoint exactly what happened is essential to be able to prevent a similar breach from occurring again in the future. A full accounting of what happened may also be required by the relevant authorities.
The ultimate goal is to dramatically reduce the mean time to detection (MTTD) and mean time to resolution (MTTR). Doing so can help reduce any liability on behalf of the organization and can help minimize the actual damage done by a breach.
Collecting information such as event logs is only the first part of the equation. The most important part of the process is forensically analyzing the data to determine who accessed what within the network, and what they did while they were there.
Organizations in any industry must comply with various regulations:
Organizations involved in providing healthcare or related services need to comply with information security guidelines laid out as part of legislation in the relevant country. For example, in the United States, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), recommends that organizations in the healthcare sector establish a comprehensive audit and event logging regime across data stores, applications, and operating systems.
Financial services organizations are required to protect their customers’ personal financial information. The Financial Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act) compels US-based financial institutions to protect customer information. In Australia the Privacy Act of 1988 includes similar requirements, while the General Data Protection Regulation (GDPR) protects European customers.
All publicly-traded companies in the United States have to submit an annual assessment of the effectiveness of their internal financial auditing controls to the Securities and Exchange Commission (SEC) under the Sarbanes-Oxley requirements.
The Sarbanes-Oxley Act (SOX) affects all publicly-traded companies and focuses on the accountability and integrity of the financial reporting process for a public company. Log files contain a wealth of information that can be mined for details that will assist in detecting system problems and providing an audit trail for incident response and forensic investigation.
SNARE Enterprise Tools help organizations comply with SOX by providing a centralized repository where logs collected from disparate systems can be collected, normalized, aggregated, and archived, which supports SOX Section 404’s IT process controls. These logs form the basis of the internal controls.
Retailers need to be PCI-compliant. This means you need to satisfy various requirements to demonstrate that your customers’ payment card information is protected.
Payment card industry data security standards (PCI DSS) were developed to help prevent credit card fraud for organizations that process credit card payments. A part of the requirements for retailers, you must:
- build and maintain a secure network
- protect cardholder data
- maintain a vulnerability management program
- implement strong access control measures
- regularly monitor and test networks
- maintain an information security policy.
The Snare Central Server is designed with forensic examination and compliance in mind, and is ideal for investigating events because:
- it keeps stored logs away from the systems generating logs so they can’t be tampered with, remain secure, and can be accessed when needed to investigate an event
- it uses a very high compression ratio, standards-compliant format that lets you store approximately 40 terabytes’ worth of data on about 1 terabyte of physical disk space
- the data can be exported as-is to third-party analysis tools or it can be analyzed on the server
- the Central Server includes 200 standard template reports that map to legislative requirements and can be configured as required
- deeper analysis is made simple and accessible with incident trails clear and easy to follow.
Snare Agents also contribute to forensic analysis by:
- forwarding data in a non-proprietary format that’s light on system resources so you can collect a wide range of events that may not be immediately critical, but may be useful as forensic support material for future investigations
- extrapolating localized information from audit event logs that are critical for long-term forensic follow-up but may be transitory on the source server
- not removing information from the source log data
- cryptographically fingerprinting log collections with checksums archived to support long-term validation of source data.