Five things you should be thinking about before someone tries to “break in” to your IT systems
It was 3:49 a.m. last Thursday. Car alarm was going nuts and my dog was wildly barking out on the lanai right next to my bedroom window. Just waking from a real deep sleep, I was unsure if it was my car or a neighbor’s then the familiar sound of my 2001 Ford Ranger horn had me up and out the door with dog leading the way as fast as my arthritic bones would let me.
I didn’t hear anything. Didn’t see anything. But my dog was pleading with a taut leash to go to the backyard. This was about the time I decided to let the professionals handle it and I called the county sheriff and two patrol cars arrived about two minutes later. Another minute or two after that, my neighbor across the street came out and said his alarm had also gone off.
The officer did his due diligence circling the house while the other unit circled the block looking for the perpetrator. No sign of footprints and no damage done. Officer Rodrigues told me I was the rare homeowner in my neighborhood that actually locked his car doors. You see we live in a gated community and most of my neighbors think that our vehicles are safe so they don’t lock them. Sergeant Rodrigues was quick to state how crazy he thought my neighbors were in leaving car doors and house doors unlocked. “They think we live in paradise, so they don’t lock their doors,” he added. “They’re just making it easy for someone to rip them off.”
This got me to thinking about IT security and how easy we make it for criminals to breach our systems and wreak havoc on our data. Sometimes we have the capability, but how careful are we being with the data? Are we locking our IT “doors?” Are we alerting when someone tries to break in? And how about a watchdog for virus detection that’s linked to our SIEM system? And what about footprints after someone tries to break in? Where’s the log data and how easy is it to access? And what are we doing with the log data? Patterns in the log data can alert us before a breach occurs: We call this event correlation. Are we correlating and sending alerts before a troublesome event occurs?
Here are five things you should be thinking about before someone tries to “break in” to your IT systems:
- Have a single repository for all of your log data. A single location to refer to for log data – regardless of platform, or new versus legacy systems – can save countless hours of searching for the data.
- Focus only on the data that is most relevant. We all work within very complex IT environments – thousands of devices, each sending data across Windows, UNIX, Linux, Mainframe, and mobile devices. The message logs number in the millions. Correlation can help you narrow down the number of messages you need to look at to alert you of a potential problem.
- Work with your SIEM vendor to understand what logs are most important to the security strategy of your business. Have a capable rules engine with an auto-ticketing system that can determine which security events are the highest priority to those goals.
- Your log management strategy must operate within the constraints of regulatory compliance standards that vary by industry and geography. You will need a thorough understanding of how compliant your SIEM vendors’ solutions are to keep your entire enterprise compliant.
- Chances are, you don’t have an army of IT security specialists to manage your SIEM system. Having a SIEM solution that is quick to deploy and doesn’t require an army to administer after it goes into production is a huge plus for the success of your IT security strategy.
Why make it easy for the criminal element to break into your IT systems? Chances are, you already have the tools to prevent a breach. Your success could merely be a matter of locking the doors and proactively managing the data. Much like the person who tried to break into my vehicle at 4 a.m. in the morning, the data thief comes under the cover of darkness – no footprints and little trace of them ever being there. You generally don’t see them until you come across something missing and by then it’s too late. You have already become a news headline for the wrong reason.