Newest from Slideshare
Did you know?
From our experience there are two typically approaches used for risk measurement – manual paperwork style (different compliance XLS spreadsheets, forms, checklists for such guiding standards like ISO 27XXX, PCI, HIPPA, SOX, ITIL, COBIT or even full audits etc.) or automatically-technological measurement style. In other words – audit can be done by people only, by technology only or in great combination of both at same time.
And typically organizations combine those two together because paperwork typically shows theory but technology/data/people interactions show reality and we all know that theory needs reality check. Besides technology typically is some steps in front of any compliance standard/framework. We sometimes describe auditor’s work like fighting against the fog – auditors get involved to organizations when there is a fog around, then, during the manual and paperwork fog disappears and auditor finishes the work, delivers risk assessments, results, advise measurements to implement and leaves. And guess what – fog starts getting back into its business right after auditor finishes his job. Because in nowadays technology risks change very quickly.
If we take, for instance, ISO 27001 then there are approximate divide between 50% of administrative and 50% technology scoring elements so at least half of work that has to be measured could be done automatically by simple collecting at one place events from all information technology elements for correlation and analysis for threats/risks to then measure against business processes and in particular business processes related systems, data, people.
We have helped many organizations with our so called “security intelligence” portfolio – SIEM (security information and event management), Risk Management & Forensics. We simply put a box to which we forward any and all events generated by all systems, all devices, all users (logs, flows, DB audit data, all 7 layer information) and analyze all that for anomalies, risks, threats and just for information. Putting such box btw takes not more than 1-2 days. In this SIEM box is huge knowledge base, possibilities of drill-down and analyze what is going on and should this be going on at all and if that fits our internal risk measurement methodology, besides it does automatic ISO27001 scoring. SIEM is so called post-exploit reactive tool to analyze, detect, investigate, alert. And later we can add second appliance that is called Risk Manager that is preventive pre-exploit technology connected to SIEM and exchanging information on real-time basis where you can centrally set and monitor risk zones (data, people, processes, devices etc.), set and monitor all settings, righs, configurations, vulnerability management etc. (firewalls, IPS’s, switches, routers, endpoints, any network/gateway security elements etc.) and even doing simulations of different security risks – what if DDoS, what if DLP, what if mayor virus outbreak etc. And this combination of technological tools gives to organization a real-time continuous and precise risk management and reality and real time based security management and monitoring. And Risk Manger can even send new rules, signatures to firewalls, IPS’s, switches (f.i. block, blacklist, kill etc.) when SIEM detects threat that is related to most important risk zone set in Risk Manager.
Of course it takes some investment in first place until this technology is implemented and works but ROI from automated risk management is immediate. Of course external security auditors in such cases are not very happy because their amount of required man-days reduce dramatically.
Testing SIEM box is for free. You could take a chance and go for it. 2-3 weeks and You would have detailed reality check as base data for risk management measurements.