How SIEM Software Can Enforce an Information Security Policy

by Serguei Tchesnokov [Published on 20 July 2016 / Last Updated on 20 July 2016]

Learn how a SIEM solution can enforce your information security policy by ensuring permanent visibility of users’ activities.

Introduction

Whichever efforts companies make to enforce security policies, the reality proves that even applying precise rules cannot guarantee protection against personnel’s negligence, causing security officers’ never-ending headache. The 2016 Cyberthreat Defense Report shows that low security awareness among employees is a number-one obstacle. At the same time, PwC’s study on the global state of information security says that employees themselves are the most cited source of incidents. And finally, IBM X-Force Research states that 15.5% of all attacks are carried out by inadvertent actors who cause serious security troubles even without realizing it.

Indeed, negligent violators are a kind of a delayed-action bomb, and ignoring them means exposing a company to repeated insider threats. As introducing a set of rules is not enough to ensure long-term corporate protection, we suggest you consider implementing a SIEM solution that will enforce information security policies and help to transform your company’s patchwork actions into a continuous security strategy.

Image
Figure 1

Spotting Violations of an Information Security Policy

Though SIEM solutions are usually implemented to guard companies against insider and outsider threats, they may also serve as useful tools to detect security policy violations. This way they enable security administrators to identify negligent users’ behavior and to sort out critical offenses that can lead to dramatic breaches.

By implementing a SIEM solution, security administrators get the opportunity to persistently register every user’s action against the established security policy by gathering real-time data throughout the entire network. For example, a leader of Gartner’s Magic Quadrant for Security Information and Event Management, IBM QRadar is able to consolidate log events and network flows, normalize and correlate raw data and deliver actual information on potential security policy violations (offenses).

If the pinpointed offense turns to be a real violation, a security administrator can drill down and investigate thoroughly who, when and how violated a certain security rule. By providing a constant visibility of compliance with a security policy, a SIEM solution allows to prioritize which offenses are most critical and can potentially leave the door open for subsequent external attacks.

Here we came up with the examples of possible security policy violations that can be revealed via a SIEM solution.

Unlocked screens

Such a basic security rule as locking a computer screen is still one of the most violated. Users keep forgetting to lock their computers and leave for a lunch at a canteen or go to a meeting. This banal story can actually end unhappily if during an employee’s absence sensitive data is stolen or a malicious virus is spread across the network in just the blink of an eye.

A SIEM solution can become a helpful tool on the way to identify unlocked screens and computer left unattended, as it’s able to gather logs from a perimeter access control and register users that left the building without having previously logged out of the system. A captured exit from the building that hadn’t been preceded by a system log out can be considered as a security policy violation.

Access to bad reputation IPs

Even the most reliable employees can unintentionally come across a site containing malware or viruses putting a corporate network at danger. It’s worse if an employee visits unsafe sites regularly. With no measures applied, this roulette game can continue until the network is finally infected. A great thing about adopting a SIEM solution is that it can store a list of potentially malicious IP addresses including malware hosts, spam sources, anonymous proxies etc. This way the system automatically gathers every case of connection to a dangerous resource.

Using QRadar and having license extension to use X-Force Threat Intelligence feed, system administrators are able to incorporate malicious IP addresses and URLs into correlation rules and identify any undesirable connection made by a user. Every policy violation that involves these addresses is automatically flagged and becomes available for further examination.

Sensitive data stored locally

Though usually provided with dedicated data storages, employees tend to disregard security and keep highly sensitive data locally right on their computers, which can end up with serious data leaks. The price of negligent data loss may not only deplete a corporate budget, but ruin a company’s reputation if clients’ personal information is at stake.

Here’s the example of SterlingBackcheck, the world’s biggest background checking services company that reported a stolen laptop with 100,000 records of personal data required for a background check, such as social security numbers and addresses, friends and associates, and other information allowing to identify a person.

By customizing a SIEM solution, a security administrator gets the opportunity to identify users storing confidential information on their personal devices through detecting specific keywords within file names (e.g. ‘agreement’, ‘confidential’, ‘report’, etc.) and their content by analyzing security audit events.

Recurring violations

With the help of a SIEM solution, security administrators are able to distinguish repeated cases and recognize chronic violations that can be easily overlooked in endless flows of scattered security events.

For example, adopting QRadar to monitor recurring violations, security administrators get the opportunity to monitor user sessions attributed with specific IPs for the defined period of time, which allows to sort out multiple security policy violations made by the same user. Moreover, with an Incident Forensics module deployed, it’s possible to investigate in details how exactly the policy violation occurred and find its root cause.

Reduced efforts, increased benefits

A SIEM solution enables C-level security executives to make their efforts on security policies enforcement more effective by:

Minimizing manual work. Manual collection and analysis of security data across firewalls, networks and applications is very unpractical and time-consuming, not to mention the attempts to discover repeated violations. SIEM solutions allow to substantially reduce efforts on gathering relevant information and detecting security policies violations as data processing is made automatically.

Saving critical time. By violating security policies, employees expose the entire company to a real danger. If a violation is not detected and isolated on time, it can lead to severe breaches, massive data leaks and as a result, considerable money losses. A SIEM solution allows for prompt and real-time monitoring of security policy violations, so that even minor deviations could be pinpointed and timely mitigated by a security department. 

Conclusion

Negligent insiders can become the source of significant breaches even without knowing about it. That’s why it’s crucial not only to introduce a strict security policy but also ensure a constant control of its fulfillment. The implementation of a SIEM solution for security policy enforcement can become the next advanced step that enables prompt detection of rule violations, which adds value to a security department’ efforts for ensuring the protection of their corporate environments.

By Serguei Tchesnokov, IBM certified Security Professional with a 9-year background in Security Information and Event Management (SIEM) and a 16-year work experience in Information Technology.

See Also


See Also