In-sourced, Co-sourced or Outsourced: Considerations for a Key Security Event Monitoring and Compliance capability
This paper considers the reasons why fully outsourced security monitoring and compliance solutions from MSSP’s may not provide the real benefits to organisations...
Read more >
Case Study: A UK Blue Chip Energy Organisation
A UK Blue Chip Energy organisation with global reach had a requirement to deliver security information internally which
would drive better management decisions and help the company achieve its objectives...
Read more >
Case Study: A Major UK based Telecoms Company
Introduction
A major UK based Telecoms company had a requirement for improved security monitoring and management of its diverse multi-site infrastructure and to provide real time security awareness to security teams and support compliance programs already underway.
This initial requirement was to support Sarbanes Oxley (SOX) compliance, with a view to expanding the system implemented to cover appropriate Payment Card Industry (PCI) requirements.
The company enlisted the services of Zepko to implement this because of their proven track record of delivering quality solutions utilising Security Information and Event Management (SIEM) systems which the company had decided to implement to support their compliance and security operational initiatives.
The Challenge
The company already had well established security teams which defined policies to manage risks and respond to incidents. The company took the opportunity presented by organisational change to create a dedicated team for UK based security operations. As well as provide support for the compliance programs the SIEM solution would also provide a security platform for monitoring and incident response activities undertaken by this team.
The organisation had hundreds of different hosts, multiple platforms and numerous different applications that needed to be integrated effectively into the SIEM system so that relevant data from these elements could be collected and processed in order to generate compliance reports for SOX and PCI.
In addition to this the system also needed to provide real time
alerting on security incidents within the digital estate and
support forensic analysis and incident resolution.
The Sarbanes Oxley control framework defined system log
management and monitoring as two controls for which the
SIEM had to provide an effective solution.
PCI compliance would require the SIEM to collect data from the
identified system components and provide compliance reports
to satisfy specific requirements from most of the 12
requirement sections within the PCI Digital Security Standards.
Security alerting and reporting to the UK security team required
appropriate correlation rules and associated actions to be configured to identify and notify the relevant security team
personnel of potential attacks, malicious activity and security
incidents emanating from or targeted against the companies'
infrastructure and systems.
Time scales for implementation were tight especially for SOX compliance and so a prioritised and staged approach was determined to cover all elements and ensure deadlines and deliverables were achievable for each of the different objectives.
Moving forward and integrating devices for PCI compliance would mean greatly increasing the amount of security data collected from end devices and so the SIEM system would need to be able to scale effectively to cope with increasing demand for event collection and processing.
The Zepko Solution
In response to these needs and objectives and after due attention to capturing all of the requirements, an appliance based SIEM solution was chosen to be implemented.
This was primarily chosen for its ease of implementation (a quick turn around operational deployment was required), high event handling rates (many 1000’s of events per second - EPS) and effective storage capabilities for raw events.
The main compliance efforts were concentrated upon event logging to satisfy related SOX and PCI control objectives and requirements and for these to move from ‘RED’ to ‘GREEN’ or from ‘no tested process or evidence of compliance’ to ‘tested with evidence of compliance’.
With Zepko’s experience in the area of utilising SIEM to assist with compliance programs, we were able to quickly establish the control objectives and key requirements for which the SIEM system could be best utilised to address and then concentrate efforts upon the data collection and system outputs necessary to provide the compliance evidence.
Zepko devised device integrations for the majority of the standard systems in use across the companies estate. This involved forming effective Data Integration Plans (DIP) for each data/device type ensuring that the most relevant data was being collected in the most appropriate manner to support the ultimate goal of satisfying the SOX or PCI control objectives and requirements.
Other considerations such as balancing the desire to store all logs from all systems for long periods of time (retention policy) against what is practical and possible had to be taken in order to arrive at the most pragmatic solution for the company in meeting its objectives and responsibilities.
To provide some of the necessary compliance to some of the key control objectives and requirements within both SOX and PCI standards it was necessary to perform device integrations for custom devices.
This is where bespoke or customised applications and systems exist within the compliance domains from which data needs to be collected, but where there is a lack of out of the box SIEM device support for these entities.
This most often included Databases and audit tables as well logs from bespoke applications. The custom approach requires great skill in ensuring that only the most relevant data is collected (that which will satisfy the audit/compliance requirement) and that it is collected in the most appropriate way in order to minimise impact upon the host systems and maintain a secure and efficient operating environment.
Zepko also configured the reporting templates to provide the evidential support for the compliance programs. The deployed SIEM system provided some out of the box SOX and PCI reports and Zepko were able to supplement these with custom reports to satisfy more control objectives and requirements for both SOX and PCI.
Zepko delivered benefits
The Z-SIEM solution delivered by Zepko is now providing a cornerstone support solution for the operational security team and compliance programs.
Ultimately the SIEM solution has reduced the cost of overall compliance with a rapid and effective deployment coupled with automation of processes and control functions and generation of tailored outputs (reporting and alerting) to satisfy the requirements.
The control and visibility now afforded for the digital estate also extends to the areas covered by numerous outsource providers and has allowed the company to better manage its partners from a security perspective and support measurement of performance against Service Level Agreements for example.
The auditing and log retention needs of the business have been met and in an efficient and cost effective manner.
The operational security team now has very good visibility of the estate it is responsible for and is able to effectively manage security incidents and provide data and metrics to support its control and reporting objectives to those responsible for security and to the wider business and the Board.
Overall the organisation has met key compliance objectives and is now much better provisioned for in supporting its management of the companies’ information security.