“In its study of 43 companies that suffered a data breach last year, the Ponemon Institute found the total cost of coping with the consequences rose to $6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006. The cost per compromised record in 2008 rose 2.5% over the year before to $20 per record according to the study.”

http://www.networkworld.com/news/2009/020209-data-breach.html

Pretty chilling data isn’t it? Even more frightening is that the study goes on to say “88% of all the cases for 2008 were traced back to insider negligence”. Certainly brings back the old Pogo comic strip “we have met the enemy and it is us”.

While eliminating negligence or fraud entirely is virtually impossible, detecting, investigating and responding to it quickly and effectively will lessen the impact. It’s almost cliché to point out that the focus for enterprise security has evolved from merely “keeping the bad guys out” to securing and monitoring the movement of critical data. Since insiders have legitimate access to your sensitive data, they represent a bigger and more difficult risk to security professionals. That’s why it’s no surprise that I hear, weekly, from security and IT executives that they’re looking for new approaches to get a 360° view of user activity.

How do you do it? First, set up baseline policies on information access and security, as well as the infrastructure technologies to support your critical data. Then, many organizations implement DLP, encryption, identity management, policy management, and other technologies. What’s next? Of course, a 360° view means you need to audit and review ALL the data. You can get started using a few different options. One tried and true way is to “check the box” and implement a log management or SIEM solution. There are many options out there and you’ll be fine in about 80% of the use cases regardless of who you choose. Most have dashboards, reports, and alerts that separate the “signal from noise” and let you react to events of interest.

Like many things in life, the problem is with the 20%. What happens when you need to add unusual or complex data sources to the mix? Here’s a clue - “it’s not pretty”. Count on a late night at the office if you need to add SAP data, a homegrown app, or that new McAfee product you just rolled into your environment. Adding a new data source often means sending data to a vendor Log Lab, incurring expensive professional services, or worse, hearing “we just can’t do it”. Security audit and investigation is highly dynamic and with auditors constantly “raising the bar”, the tools need to be incredibly flexible and nail the “tough 20%”.

To achieve a true 360° view, make sure you can add these “tough 20%” issues in hours, not days or weeks. If you’re evaluating vendors, give them a mystery source and ask them to collect the data and integrate it into your reporting environment. Then, set your watch. The responses you see here will give a good indication of how you’ll feel after the product is implemented. Good upfront planning will result in incredible cost savings and easier, more complete security audits and investigations.

If you don’t have a 360° of user activity, then you’re increasing the likelihood that the next $6.6M security incident you read about in the press might be at your firm.

Here’s my email address - jimp@sensage.com - please let me know your thoughts.

permalink