SIEM and DLP Together: A More Intelligent Information Risk Management Strategy

Transcription

1 SIEM and DLP Together: A More Intelligent Information Risk Management Strategy An ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) White Paper Prepared for RSA, The Security Division of EMC December 2009 IT MANAGEMENT RESEARCH,

2 Table of Contents Executive Summary...1 Information Threat Control: Priority One for IT Security...1 DLP and SIEM: Better Together...2 A Closer Look: Some Examples...3 External Threats: A More Realistic Approach...3 Internal Threats: Containing Abuse of Access to Sensitive Information...5 A More Intelligent Strategy...6 EMA Perspective...6 About RSA, The Security Division of EMC...7

3 Executive Summary With today s profusion of threats to sensitive information, two priorities have become paramount for IT security and risk managers: protection and control for information assets, and visibility into the real nature of threats, both internal and external. The scale of the challenge is one of the largest in IT. Information of value to the business, its stakeholders and customers can be found throughout the enterprise and beyond but not all is of equal priority. Without tools that enable organizations to prioritize their efforts and automate response, the challenge can quickly become overwhelming. This is why organizations are increasingly recognizing two important aspects of an information risk management strategy: the value of visibility and automation for the monitoring and control of information risks, and the ways in which tools can work together in a more effective approach. The alignment and integration of Security Information and Event Management (SIEM) with Data Loss Prevention (DLP) technology offers a powerful example of these values. DLP can discover the information of highest sensitivity throughout the environment, enabling the enterprise to prioritize its efforts and automating the application of prevention and response to information threats, on a more comprehensive and consistent basis than individual point solutions can deliver in isolation. SIEM expands visibility into information risks by identifying actual threats to information assets, correlating this information to the sensitive information assets discovered by DLP and helping DLP to automate a more proactive response. Together, these tools enable the enterprise to focus efforts on the highest-priority targets and identify the most significant risk events, making the most of limited resources for risk management. Purposebuilt to be the single pane of glass that consolidates risk event data, SIEM can serve as the focal point of a security management strategy, better informing the capabilities of DLP for applying consistent policy, wherever sensitive information is found. This paper explores examples of how DLP and SIEM together can make for more intelligent information risk management. Security, risk and compliance professionals will discover new ways to make the most of these powerful tools that, together, support a more comprehensive approach to uniting visibility across the entire infrastructure with the consistent automation of information discovery and policy-based control. Information Threat Control: Priority One for IT Security Today s information security threats target sensitive data as never before. More than 340 million records containing sensitive personal information have been involved in security breaches in the U.S. since January 2005 according to the Privacy Rights Clearinghouse. 1 Just this year alone, one of the largest single breaches over 130 million records was reported by credit card processor Heartland Payment Systems, as the result of malicious software that compromised data that crossed Heartland s network in 2008, according to Heartland president and chief financial officer Robert Baldwin. 2 For the enterprise, the message is clear: threats to the sensitive information on which the business directly depends have become pervasive and widespread, and the stakes are higher than ever before. This places a substantial premium on the ability to recognize threats and correlate threat behavior to impact on high-priority information assets, in order to manage information security risks. 1 as of November as of November 2009

4 But how best to recognize the most significant threats, particularly as the threat landscape changes daily, in real time, and threats become more sophisticated and more numerous? And how to identify the most sensitive information resources, so the enterprise can know when and where its highestpriority assets are being targeted? It may be easy to make assumptions about these information stores, but without data that alerts the security team when an attacker has targeted sensitive information, the attacker may know more about how and where sensitive information may be found and exploited than the enterprise does, and in greater detail more relevant to a specific threat. Enterprises must recognize that not all information is of equal sensitivity nor are all information repositories. They must also recognize that the attacker has the luxury of finding exploitable targets at their leisure, while the business must prioritize the most significant of all its risks as quickly and efficiently as possible. The challenge for the business is how to build an information risk management strategy incorporating all these factors within the constraints of limited resources. DLP and SIEM: Better Together Correlating real-world threats in real time with how and where the most sensitive information is found and handled: These are the objectives of a strategy that aligns Security Information and Event Management (SIEM) with Data Loss Prevention (DLP). The accurate recognition of sensitive information has been a primary objective of DLP, and a point of differentiation among vendors in the field. Adding discovery to this capability enables today s DLP leaders to not only recognize sensitive information in use or in transit, but to identify where it is found both in motion and at rest. With this knowledge, SIEM technology can be optimized to focus on potential threat activity that may directly impact DLP-discovered high-sensitivity resources. Conversely, SIEM data can help DLP refine its identification of sensitive information stores, and alert it to new information resources as well as new information threats when they appear. Figure 1: When DLP information is integrated with SIEM, management data can be consolidated at the SIEM console. This view of DLP information is delivered within RSA envision s Event Explorer, and includes top actions taken, top blocked users, more frequent policy violations, and more. The view can be modified to best serve operational requirements as needed.

5 For the Security Operations Center, it offers a way to make DLP even more effective while expanding the value of SIEM technologies, integrating DLP into the single pane of glass typically at the center of SOC administration. The alignment of these capabilities can help organizations determine where to make the most of information defense and threat countermeasures, and to prioritize response to the most significant risks. For the Security Operations Center, it offers a way to make DLP even more effective while expanding the value of SIEM technologies, integrating DLP into the single pane of glass typically at the center of SOC administration. The union of SIEM and DLP can automate the application of policy controls based on objective event data regarding actual threats, rather than subjective assumptions about where protection should be applied. SIEM serves as the nerve center of strategy management, for consolidating awareness of activity directly correlated to high-priority information resources discovered and identified by DLP, and correlated to user identity for authorized personnel, customers and partners to monitor appropriate access, recognize anomalies, and refine the application of automated policy controls through DLP. In short, the alignment of DLP and SIEM provides more realistic insight into where the most sensitive information is found, how it is handled and used, and what real-world threats target its security. This adds to the dimensions of intelligence available to security professionals, enabling them to make better informed decisions about where best to apply limited resources for managing the most significant vulnerabilities and events that place information at risk. It also supports the continuous improvement of risk management strategy, by keeping the organization informed about the reality of the constantly changing nature of both sensitive information resources and information threats, helping the enterprise to maintain the effectiveness of its approach. A Closer Look: Some Examples The value of aligning SIEM with DLP becomes apparent when organizations seek to make their approach more pragmatic. For example, enterprises may believe they know what their highest priority information assets are, but without objective evidence based on the discovery of these resources and recognition of their sensitivity, this belief may not be grounded in fact. By finding and recognizing information based on sensitivity, DLP can more accurately locate this data, providing an objective measurement of the actual volume and sensitivity of information at risk at any given point in the enterprise. This tells the enterprise where to prioritize its efforts to control and protect information, as well as where to focus on security events and deploy more effective threat countermeasures. This information can then be correlated with SIEM event data to determine where risk is highest. External Threats: A More Realistic Approach For example, organizations may focus on meeting regulatory requirements for protecting customer data in specific locations, regardless of whether attackers are actually targeting those points. Event data would indicate where real-world attackers do, in fact, focus their efforts, helping organizations to develop a more realistic, more effective, and less checklist-oriented approach to compliance. These factors were at work in the TJX breach, for example, where attackers focused on weaknesses in wireless network security, 3 and were an issue in cases such as last year s Hannaford breach, which occurred after the victim organization had certified its compliance with the Payment Card Industry (PCI) Data Security Standard. 4 The fact is simply that attackers will probe any appealing opportunity, given exploitable vulnerabilities 3 as of November as of November 2009

6 and exposures and threat capabilities that are continuously evolving. Aligning SIEM with policy controls such as DLP thus brings greater realism to compliance with securitycentric mandates, by informing policy controls with current data on actual threats, rather than focusing on an audit checklist. Aligning SIEM with policy controls such as DLP thus brings greater realism to compliance with security-centric mandates, by informing policy controls with current data on actual threats, rather than focusing on an audit checklist. When DLP systems are made aware of this information, they can apply policy in more effective ways. Consider, for example, a malware attack that targets the theft of sensitive information. An anti-virus or anti-malware solution may report evidence of malware, while a DLP system may trigger on an unauthorized attempt to export sensitive information outside the enterprise. In isolation, these two technologies may not recognize the relationship between these two events. Moreover, expertise in each isolated technology is required in order to recognize each event, which increases demands on resources. Correlation also depends entirely on human recognition in such a case not always realistic in light of the sheer volume of activity in a typical environment. When anti-malware and DLP systems both integrate with SIEM, however, a SIEM platform can correlate these actions and identify that a malware outbreak is resulting in attempted information theft. This not only allows security teams to identify the issue more accurately, it may also enable them to respond faster. It also relieves the need for expertise in two different technology domains in order to recognize the nature of the attack, with correlation centralized on a single pane of glass at the SIEM. Exploits may not have just one, but several ways in which an attacker can target vulnerabilities in the protection of sensitive information. Often, an attack may progress in a stepwise fashion, as the attacker gets closer to the goal. Phishing attacks and exploited Web sites (legitimate or not) may propagate malware that is used to steal credentials which are exploited for access to sensitive information. More subtle attacks may involve a reconnaissance phase in which an attacker assesses the environment for opportunities. SIEM can instrument any of these domains to detect anomalies. Recognition of anomalous activity or access at any step can trigger DLP controls that can recognize and block efforts to exploit sensitive information at that point in an attack, providing multiple links at which the chain of events leading to a potential incident can be broken. As security attacks have evolved, they have also become even more sophisticated, persistent, and difficult to eradicate once successful. A preventive approach can help organizations defend themselves more effectively against these more challenging threats. Without fine-tuning, however, preventive controls may run the risk of interfering with legitimate access to essential information resources when needed. In order to be effective, preventive controls must adapt to authorized changes and recognize events that indicate an actual threat, reducing false positives as much as possible without risking exposure to false negatives that fail to recognize an actual threat. This requires the ability to correlate a range of event information in order to recognize as much as possible about the nature of an actual threat, particularly when the threat has several functionalities, is not yet well known, or flies under the radar of more straightforward detection. Here again, SIEM and DLP can complement each other, with SIEM providing more detailed and accurate information for fine-tuning preventive DLP controls.

7 As-yet unknown threats pose a particular problem, because their functionality is not yet recognized. What can be recognized, however, are the events that indicate a potential threat or anomaly meriting investigation. DLP can protect information until the threat is better understood. Once the nature of a specific threat is known, historical SIEM event data can be searched to find evidence of how and where the protection of sensitive information can be improved by the automated capabilities of DLP. Conversely, DLP data can be correlated with SIEM events to identify new efforts to exploit sensitive information, or can identify where and when additional SIEM information can provide more depth of detail regarding a threat, or be useful in incident response or forensic investigation. Internal Threats: Containing Abuse of Access to Sensitive Information Without coupling tools for protecting information with insight into actual high-risk behavior, organizations may have dangerously inadequate insight into exactly what sorts of threats they face. In a recent breach of confidentiality at a leading climate research institution in the U.K., for example, evidence suggests that an individual with access to sensitive documents may have exploited that access to transfer this information to a foreign site in order to make potentially embarrassing documentation available to the public. 5 Had this involved tangible assets at a financial institution or intellectual property at the heart of a business, the impact could be measured in financial terms. Without coupling tools for protecting information with insight into actual high-risk behavior, organizations may have dangerously inadequate insight into exactly what sorts of threats they face. Blindness to high-risk interactions with information assets can leave organizations far more exposed than they may realize, as in the case of French bank Societe Generale, whose exposure of approximately 50 billion ($73 billion US) 6 at the height of a 2008 scandal involving poorly monitored access to financial trading systems was more than the 2007 gross domestic product of the entire nation of oil-rich Qatar. 7 It is possible, however, to monitor high-risk activity in event management systems, often without the awareness of those involved, giving the organization greater insight into where information resources can be better defended. This information must, however, be coupled with response. According to the 2008 Verizon Business Data Breach Investigations Report, breach evidence was available to the victim organization in 82% of cases investigated, but this information was neither noticed nor acted upon. 8 Without correlation that identifies high-priority events, and the engagement of processes as well as technologies to respond to events and mitigate information risk, organizations may be more exposed than they know. SIEM and DLP systems can work together to help close these gaps. Consider, for example, the case where an employee leaves an organization to join a competitor. The employee may seek to capture sensitive information such as intellectual property, customer records, or other information that could create serious issues for the organization if mishandled. Without the ability to monitor the resources accessed by this individual, the organization may have little or no idea how exposed it may be. Access reports may provide a first level of insight but without correlation to the sensitivity of information accessed, the organization cannot prioritize its awareness, and may waste precious time trying to determine the extent of its potential exposure. Nor does it know exactly what was done with information at 5 as of November as of November US Department of State estimate, as of November W. H. Baker, C. D. Hylender, J. A. Valentine, 2008 Data Breach Investigations Report, Verizon Business, June 2008

8 risk in such a case. Gathering this important information can become highly resource intensive and may be too late to take appropriate action. DLP and SIEM can work together not only to make this intelligence more efficient, but to automate its collection and unify it at the SIEM console. With DLP s identification of the most sensitive information resources, SIEM event monitoring can alert the SOC when DLP awareness identifies high-risk information access such as copying, altering, deleting, or transmitting sensitive information outside the enterprise or in violation of policy. SIEM also helps separate administrative control of sensitive information systems from event monitoring that may indicate a high-impact risk, while DLP tools can improve the granularity of events recognized by SIEM, as well as apply preventive controls against information abuse. This may be particularly valuable in scenarios where contractors or partners have a high degree of access to sensitive information resources. Developers who help the business create intellectual property may place the enterprise itself at risk if they seek to exploit their access to valuable work. Remote administration and support is another area that blurs distinctions between insiders and external personnel having highly sensitive access to information assets. Here too, SIEM event data can shine a light on potentially high-impact activities and automate the mitigation of business-threatening risks through DLP. A More Intelligent Strategy These examples highlight how DLP can help prevent potential abuse of authorized access to sensitive information assets and keep the organization aware of high-risk activity, while SIEM can not only sharpen preventive controls with more detailed activity information, but can also monitor this activity and trigger a more effective response to risk events. DLP can also sharpen the extent to which SIEM can better support information risk management, by focusing event monitoring on information assets and repositories discovered by DLP to be the enterprise s most important risk management priorities. By automating the discovery of information assets and recognizing their sensitivity, DLP can better focus visibility into high-impact SIEM events. By applying more detailed insight to the automation of information control, SIEM can help DLP do a more effective job in protecting the enterprise against its most significant information risks. Together, an approach that integrates SIEM and DLP can provide a single pane of glass for information risk operations management centered on the SIEM console that centralizes information risk event monitoring and management, combining visibility with the automated discovery and policy application capabilities of DLP to give the organization better control over its most important information assets. EMA Perspective Unlike some other domains of IT or information management, information risk management is never static. Organizations can build toward objectives of improved control, but unless those objectives are themselves dynamic, the enterprise will always find itself behind the pace of threat evolution regardless whether those threats are internal, external, or a combination of both, as with business partners and contractors. The nature of sensitive information is constantly changing. It is in motion throughout the enterprise and beyond, and new ways to share and use information emerge constantly. The threat landscape is just

9 as dynamic. The malicious will always seek new ways to circumvent defense. Even unintentional risk exposures may have a significant impact on the organization, as with lost media or portable systems. This means that effective information risk management must be continuously informed by the state of play in the real world, as it is today. The scope and scale of concern means that the advantages of automation for discovery of assets at risk, as well as for proactive and preventive risk mitigation must be employed whenever they can make a difference. These two pillars visibility and control are at the heart of a growing trend toward a better defined approach to IT and information governance. As breach incidents large and small continue to make headlines, regulators increasingly focus on the control of sensitive information. Organizations, meanwhile, are beginning to recognize that they will be highly challenged to get a handle on a coherent strategy unless they take a more systematic approach to the problem that makes the most of limited assets. This means the tools of defense must work effectively together, and those that provide the most significant support for a comprehensive strategy must be given high priority. These are all reasons why DLP and SIEM seem made for each other. DLP is purpose built to automate the challenge of finding and protecting sensitive information throughout the environment, informing an operational strategy centered on SIEM as the focus of risk monitoring and operations management. Together, these technologies centralize visibility and control and can provide strategy managers with the insight needed for the continuous improvement of their approach. As enterprises continue to mature a more consistent and comprehensive approach to IT governance and risk management, SIEM technology can be expected to maintain a place of pre-eminence as the focus of operations and visibility into real-world threats correlated to sensitive and often compliance-critical information resources. As a leader in both SIEM and DLP technologies, RSA, the Security Division of EMC, is in a distinctive position to capitalize on these synergies. RSA has become a leading vendor of SIEM through the capabilities of its envision product line for reducing the impact of SIEM adoption, with products that are readily deployed and straightforward to learn and use. The company s DLP technology is differentiated by its distinctive investment in technology for recognizing sensitive information based on techniques such as linguistic analysis, as well as for its capabilities for discovering sensitive information resources throughout the enterprise. Backed by additional assets for strong authentication and cryptographic data security, and the widely adopted information management products of EMC, RSA offers a strong set of capabilities that mutually support each other in a comprehensive information risk management strategy. About RSA, The Security Division of EMC RSA, the Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world s leading organizations succeed by solving their most complex and sensitive security challenges. RSA s information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle no matter where it moves, who accesses it or how it is used. RSA offers industry-leading solutions in identity assurance & access control, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit and

10 About Enterprise Management Associates, Inc. Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that specializes in going beyond the surface to provide deep insight across the full spectrum of IT management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise IT professionals and IT vendors at or follow EMA on Twitter. This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. EMA and Enterprise Management Associates are trademarks of Enterprise Management Associates, Inc. in the United States and other countries. EMA, ENTERPRISE MANAGEMENT ASSOCIATES, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc. Corporate Headquarters: 5777 Central Avenue, Suite 105 Boulder, CO Phone: Fax: