EDITOR’S NOTE & NEWS UPDATE
! " # $% & #'( ) ) *+, - .) )
-/ 0& % * 1) (Log Management)
4 ' #" ' ) $ 5 6 # #'( - % * 1) (Best Practice) 7 " ) $% $ ( ) 6) $%( -%#8%! $ & - & 6) $. . . % -' ( & $%-1 ) : 4 * 1)6) % )
! # 7 7) ' - - #; Bay Newsletter < #'( 3 ' , + * / - - * 1) % -%#8%.) >% &%& $. . . $% & ? @ #'(& A+( & : * , $ , : * * ' ' & : #'( ; >% &%& - ' / +( #'( - . 1 % / $% $ ( 1 ! #;6) &% & : #'( ) @+ < ', ISO 27001:2005 A+( & : % ( )
! * * 1 ) - - #; 6) * #'( / - & ( < & J #' $% &% , ( 7 & #" # 6) * * " #'&( % & * - %K #? 7 &)
,
Because of the new Computer Crime Act and computer threats, most organizations has begun to take an interest in the log management. However, these organizations should acquire best practices for log management. Many factors that should be considered include cost management, the effectiveness in complying with the Act and other regulations, risk management, forensics, data retention, and information system management. The 3rd issue of the Bay Newsletter presents you the essence of log management system implementation. Every organization must comply with the Computer Crime Act; they may also choose to conform to other additional regulations to enhance the organizational standard to be recognized by both domestic and international partners. The standard that we discuss in this issue is ISO27001: 2005, which is an information security management system standard. Bay Newsletter will be covering the standard in the next following issues. We sincerely hope that you can benefit from this information and would like to thank you for your continuously support for our newsletters. Nida Tangwongsiri, General Manager
360 01 Lumension 02 Bayâ&#x20AC;&#x2122;s New Office 03 IPScan Security Summit % 3-5 " Lumension Security & Lumension 360 < Scottsdale = Arizona > ?@ % % Security Professional &' % ! " . / 0 %/ &' !" D <E$ Lumension % G
!$ % &' < % H$ ! Enterprise Solution Manager ?@ %/ (? % ?0/ ? ! ? 0 <$ / 0 ! G / %- J ' - / % ? D !?K&& ( ! ! % ?N $ & D ! ! Lumension Security held the Lumension 360O Security Seminar in Scottsdale, Arizona on March 3rd - 5th, 2008 where a number of security professionals came together and shared their technology experiences and visions. Khun Avirut Liangsiri, Bay ComputingRs Enterprise Solution Manager, also participated in the event, he shared his own experience and learned the latest security management technologies as well as latest development on threat prevention. 2 l Bay Computing Newsletter l 3rd Issue
! " !$ % &' & ( ) $! ! **+, ( ( & - !! ! ! ! . 18 ! % / ! ! ' % % - / 0 &' % 0 %
!/ 0 !
For a better support the growing number of customers, Bay Computing has moved to a new office last April, only a few steps away from the previous location in the same floor (18th Floor). The new office is modern decoration and spacious as we build up bigger teams and provide more service integrations to customers.
( Viascope ( ? 0 ,/ !$ % &' ?@ %/ &' ! ! ?@ ' " D <E$ 0
/ 0 / & IP (IP Management) D ! . IPScan ' !$ % G ' -> . &0 . %! % ? D !D ! $ ( <$! Recently, Viascope has appointed Bay Computing to be an official distributor for its IP management solution - IPScan. With this solution, Bay Computing can provide security service for internal organization use in a completed package.
NEWS UPDATE
SUCCESS STORY
Vice President, IT ( )
. RSA enVision
Log . . . ! "# $ %
* 0 . $Z K ' ) - &# A+ ( / % 8" % $ 5 - % # $ !# # [ - ' ( 6) " " #$? 6) % ) & , 6& \ 2536 " '7 & J @+ 70-80 7 ! & 6 # '( #' ( 1 ' #% 7 ' ( `! -- j `The Planj 6) `$Z K %) ) j 7 # [ - ` $Z K j `The Connectj 6) `$Z K %)) j 7 7 % ' `The Seedj 6) `Ivyj ' , %K# '7 .)%& '&-/ 4 1 * 0 #'( #" 8 ' ' 1 6 A+( #" A& )% * 1). - (Leased Line) #'-( ) $ ( 6 * 1) < , " 6) K )
! * * # , + ( #'#( / J
&" ', $Z K ' ) - &# ) #" % * 1)6) &" )
! SIEM (Security Information and Event Management) $ ( 4 Log & * / $ 00 &% #/ .% ' ( $% & $.;. 2550 6) -/ 0 /* 1) Log % ! $ ( & - 6) &% & -%( .% &%#'( % *+, * @+ & - & &" #'( % *+,
% 7 - 1 -" & / % 8" %
Preuksa Real Estate is a large real estate company that sells single houses, townhouses and condominiums in Bangkok and the metropolitan area. The company was established since 1993. Currently, Preuksa Real Estate has around 70-80 projects offered in the property market and sold under well-known brands, such as Passorn, The Plan and Preuksa Village Single-Family Home Community; Ban Preuksa and The Connect Town houses; and The Seed and Ivy condominiums. Aside from the house projects, the company also has a concrete factory at Pathumthani. All of the computer networks in these locations are linked via leased line and connects to the head quarter for information sharing. However, these of architecture, network usage control and security can be difficult to manage. Since the company has quite a large network and a number of remote sites, Preuksa Real Estate has decided to use traffic data log that enables the company routinely stores information and traffic as required by the Computer Crime Act B.E. 2550, for internal network management. It is a solution that Bay Computing Newsletter l 3rd Issue l 3
SUCCESS STORY RSA enVision
" - 5 - ! Vice President, IT %K # $Z K ' ) - &# / ( ) ) @+ ) #" SIEM ` ' 2 &".) ) + ( ( $. . . A+ ( #" & #/& 6) ' &".)#'(-/ 0 (
* $Z K ? " * 0 #/ & - 6) &% & -%( #'( @1 & #/ * )/ , + 7A)1 #'( #'(-" & )" & #'( $. . . / 6) ' Â&#x20AC;\ #'( , $ ( % ! A+( #/ - @ 16) &% & -%( #'( $+ - & J #'( % *+, * @+ 6. 6)
' ) 6) % # 4& % 7 - 1 -" j
allows company to determine an unusual events and insights the computer network and respond to it properly. This will create highest benefits for the company. To collect logs, Preuksa has selected Bay ComputingÂ&#x201E;s Security Information and Event Management (SIEM). Khun Somchai Watanasaowapak, IT Vice President for Preuksa Real Estate, raised the original reasons why we considered SIEM solution. He advised that, `The budget allocated by two main concerns. Firstly, we need to get a log management solution in order to comply with the Computer Crime Act. Secondly, we need to have a tool that detects an unusual event within our companyÂ&#x201E;s network. This cannot be worked manually since we are a large organization. These are the reasons why we need a solution that can help us comply to the Act. On top appliance features allow us to manage our internal network including unusual event notification as well as email and internet management.j
-/ & -% ) 7A)1 , 7 # ( # $Z K ' ) - &# ' # '( $% 1 4 )
(1) Functionality 7 1 ( - @* .)%&! 6) features & J 7 )" (2) Product Stability $ ( 1 .)%&! # '( ( @ ' $ 5 - (/ - 6) #/ R&D & ( (3) Experiences - *
#' ( % $)' & 6) (4) Pricing A+ ( # #'-( " $Z K ' ) - &# & -% ) .)%&! RSA enVision " ES 560 7 ' %K# $% &% , / 16) % $)' & & -% , ', " - &".) ` 6 * Functionality .)%&! ',. * , &(/#'( - @& 7 # )" & $. . . #'( / & - - ' ) 7$-& * . % # 4& * ', &% & , Proxy $ ( #/ - - % &% & % # 4&#'( - 6) $% ( -%#8%! $ % # 4& )
! 6) 4 *+ , - # '( $. . . , & .)%&! #'(- @&% & $ &* 1) & J ( ) " $Z K * 0 # '( ' 6 * 1) % -' *+,
(2)Product Stability - solution must be reliable, continuously developed and implement long-term R & D plan (3) Experiences Â&#x2020; vendor experience (4) Pricing Â&#x2020; solution must be cost effective Eventually, Preuksa selected RSA enVision ES 560 solution and Bay Computing as the provider. Khun Somchai gave a reason for the selection. He said,
RSA envision is the solution
`In terms of functionality, the solution fulfilled the minimum requirement whereas it can help us complete the legal requirements as stated on the Act and can also determine emails senders or messages posted publicly. Once a proxy server is in place, we can track inappropriate use of the internet and enable users to use the internet more effectively and quickly. Besides these requirements, the solution can track the update information to prevent missing data. Preuksa is a large organization and has a large network and shared data access. If the information is missing, it will create huge damage for us. In addition, Preuksa does not allow our employees to disclose the company data. With the RSA enVision, it can help us detect who violates rules.j
Preuksa Real Estate considered 4 criterias to select the suitable solution: (1) Functionality -solution capabilities and features
`Aside from the product stability and pricing factor, we also took into account that the professional service is
4 l Bay Computing Newsletter l 3rd Issue
SUCCESS STORY
% RSA enVision ' * %K ##'( Â&#x2021; . * 1) " )! ' (
-/ & % & Â&#x2C6;Â&#x2030; Â&#x2C6;Â&#x160; #' ( % *+ , j ` ' #' ( .)%&! 6) 6) ' #'
A+( &".)#'( ) $% &%, ( $% &% , infrastructure #' -/ 0 + ( " ! $6) % @+ 1 - @* #' j
" & % 6 ) $' 4 Log $ ( >% & &% * / $ 00 &% #/ .%
' ( $% & $.;. 2550 # , 6& -/ $Z K ' ) - &#6) -/ 0 4 6) / * 1) Log % * 7 " - '6, ` ' , ( % 0 & - 6) &% & -% ( .% &% * 1)#'(6 4 $ %8'6 Manual A+( -' ) 6) & A - 6) - .) -' # 6) ! $$ * %K# A+ ( % , ( % & #" &% & , ' , #' #' ( & -10 -' 6 ', 4 " 6) j
significant. The reason why we chose Bay Computings was because they assisted us in implementing IT infrastructure in our head office building before. We trust their work quality, services and expertise.j
Future Growth Many organizations retain traffic data logs to address the requirements of the Computer Crime Act B.E. 2550. For Preuksa, it also uses this data to analyze the internal network system. Khun Somchai advised that `Before implementing RSA enVision, we have to manually check for an unusual event. We lost time to investigate and spent a great deals of investment to hire outsource to help us, not to mention that we also lost our revenue and credibility. The company reputation is invaluable, once the problem occurs it costs uncountable lost for us. Therefore, comparing the system installation cost to the cost of manual investigation, the new system is worth investing on the solution.j
6& # , ',# , , ) .)%&! ' +( #'( * .)%&! & * & * 8" %
& ` & & -% &' , 6& & $ .)%&! - @ &% 7& 8" % & )'( ! ) ( 0 RSA enVision - @* -%#8%! $ $% ( &% $' 6 $% ( ) A - #/ ) #" * ' , " % ( *+ , 8" % * ) " $Z K " '
* ) 2 ( ) 6) ) \ ', ' 6. #'( * 8" % & @+ ) #" #'( ' 6) % ' $ ( - 1 1 8" %
- % # $ #; # , .)%&! #'( ) + & 6. & 6) & #;* j " - ) #% , #
number of licenses. This will make a worthwhile longterm investment. Currently, our business generates revenue of 20 billion baht, and at the end of this year, we will expand our projects into the country as well as India and Vietnam. Our company goal is to become the number one in real estate business in Thailand. The chosen solution must be able to support us when we expand our system to those locations,j Khun Somchai explained.
However, one of the criterias to select the solution was its capability to support the future growth. `We have to make a careful decision from the beginning, because if the chosen solution cannot grow with our business, it has to be replaced later, which is a big matter. RSA enVision can grow with our business by just adding the Bay Computing Newsletter l 3rd Issue l 5
SUCCESS STORY Event Explorer RSA enVision ! "# $ " %&' RSA enVisionâ&#x20AC;&#x2122;s Event Explorer enables Preuksa Real Estate to examine security incidents and events easily.
'
Related code of law
RSA enVision +/ 39 ; Log < = SIEM* = ">! < " +? = @ @ = > G
< > ! .H. 2550 '" " + =3 !
% ; <
J $ > = !K =K " O " + = Q U +? . . . RSA enVision +/ 39 ; < > " < ? $ % < < % "
J % ; $ K
RSA enVision is log management solution with Security Information and Event Management (SIEM) built in, suitable for organizations that have to conform to the Computer Crime Act B.E. 2550 (2007) and want to analyze the log data for event notification. RSA enVision is the solution that can satisfy the requirements of the Act in section:
26 -
J % ; $ 90 K = X% $ X"& 1 +Z
Section 26 - Must store the data for at least ninety days to 1 year
27 - = " X+? > "< % "H O " < 3 X " % ; $ O < $ "%
Section 27 - Must comply with the instructions of court or relevant competent official
' " > > " + = H = "
>3 3 HK = O< O< "
[!
J % ; "> !% "G ; 9&"< % <
< % ">O
Furthermore, enVision can satisfy the specifications made by the MICT regarding the retention of traffic data log, which are:
% 8 (1), (2)
J % ; " = K =+ U 3
J K Centralized Log Server
Topic 8 (1), (2) - the traffic data log must be retained in a centralized log server
% 8 (4) = " = >> $ 9&"< = Proxy % "> G ; " O > > " ! J O O >> G Microsoft Active Directory K RSA enVision
J Log O >>
Topic 8 (4) - user identification mechanism must be in place. Preuksa has implemented a proxy server to identify the internet users and used Microsoft Active Directory to authenticate the user identities. After that, RSA enVision is used to collect the user identification log.
*SIEM (Security Information Event Management O = % ; K = ! " > + U ) +/ = $< \ %& ' 3 >3 3 % " SIM \
J % ; K $+ > = !K = % ; O <
+ =3 ! "# % ; < X >
< SIEM $ Bayâ&#x20AC;&#x2122;s Newsletter ] < 2 ( O > - U > 2551)
6 l Bay Computing Newsletter l 3rd Issue
*Security Information Event Management (SIEM) is the latest technology that uses SIM to retain, analyze and manage log data to create the highest benefits. You can learn more about SIEM in the 2nd Issue of Bays Newsletter (March â&#x20AC;&#x201C; May, 2008)
COVER STORY
() * +* ' , Log
1
Log Management Best Practice !" #$% & ' () * ' + ) $ /0 + 1 2 ) / !+ 3 % ' 4$ % Log ( ) ! "2 %2 2 / !) 5
/ 2 ) 6 %
/ )%& ) 6 / 2 ) 7 6
The current regulatory environment and threat landscape make it essential that organizations worldwide become much more strategic about log management. Logs provide a way to monitor systems and keep a record of security events, information access and user activities.
% Log 8% 1 * * / $ / ! 4$ ) ) 6 () 2 / & '
8 $ % false positive () ! "6 2 ) 2 ) + % ) ) 2*)8 / * !) () / / !+ 3 / + 1 2* % Log / !+ 3
/*
Log management is no longer just about correlation analysis in order to detect threats in real-time and reduce false positives; or about generating the right reports to meet compliance requirements, although these are both important and becoming more critical.
Part I
Bay Computing Newsletter l 3rd Issue l 7
COVER STORY % 9 2
/ 4 (Best Practice) ( ) % Log "() 1 ) $ ) + 1 2* ) / ' 4$ % 8) 7 6 % 8) ! " 6 * = ) $ ) $ 0% ) = / 9 % Log ! ( ) %2 ' ! 4 & % 2* > * ( ) ? 2 2 #@$ ( ) % / ! ! ) 2)
2 / !6 $ A ( )%+ % / )%& ! ! =
/ ) $ '#8 !*6) / 0% / * ) $ + % #@$ !+ 0 ! % Log ( ) * / %2
/ 4 ! ' 4$% 8) !+
% 2' #$ ) 6 % / )%& )
' / / ' 4$ % ) 6 2 */ ) ' ) Log ! 7 !+ 5 % /
* + 0 3 ( ' 4
Log : 5 * 6, 7 (Using a Centrally - Managed, Dedicated Infrastructure)
1
%
/ =6 $ (centrally-managed approach) + * 2*) 5 ) 6 Log / !)% ) * ( ) "( ) !* / / 4 2 2* ) ! 0 5 E Log F ) + Log 8 * / !+ 3 * "6 % 5 ) * % # Log ) * !+ 3 /* 8 * "6 % 5 ) *) 2* !*/ () 2* % 5 Log ) + * * !6 %6 F F ) / 4 % 5
) 6 (siloed approach) !* 7 % 8 * ! ! () / ' ! 4 & " % 0 $ ) 6 Log 8% ) 2 ) ' )' #$ % 5
) 6 * + / *) / ) / / %
/ =6 $ 2 ) Storage
Shared /*
2*)
3 Keys for log management best practices are : As such, developing best practices in log management is an essential component of an enlightened IT strategy. By establishing best practices in log management, information executives can deliver tremendous value to an enterprise or government agency by avoiding costs and increasing efficiencies in areas such as compliance, risk management, legal, forensics, information storage and security operations. This article takes the next logical step and guides organizations in establishing the criteria for a log management infrastructure to help realize best practices and build a technology strategy for comprehensive security information and event management. This includes a focus on achieving an information lifecycle management strategy for log data. 8 l Bay Computing Newsletter l 3rd Issue
1
Using a Centrally-Managed, Dedicated Infrastructure
With a centrally-managed approach, it is also easier to achieve consistent and reliable log data storage. Otherwise, it is difficult to establish and enforce log retention policies: logs with little value from some sources may be getting stored while important records from other sources may not be stored at all. As well, if individual departments or stakeholders deploy their own storage, it becomes costly and complex to manage. A siloed approach results in inappropriate resource deployment, misused storage capacity, degraded performance, decreased availability of log information, and premature investments in yet more new storage subsystems. In terms of the type of storage resources, a centrally-managed approach best aligns with
% / 1
% 5 ) 6 7* () * (Networked Storage Systems)
*/ 5 E */ % ) 6 Log 7* () * * / %6 ! 4 G 7 6 / ) $ " )' #$ % 5 ) 6 Log ) * )%& 2 ! 4 ) 2* F 2* Storage 2*) ( ) )' #$0% 2 ( *
% 5
) 6 !+ ( ) F $ H /) $ )
% 5
) 6 7* ( ) * + % / ' * % (Economy of scale) 7 () ) $ 8% 0 ! / ' ) 6 % / * * )
% 5 ) 6 7* () * */ ) $ ! "%6 % )' #$ % 5 ) 6 8% =6 $ ) !& /% ) 8) ( * ) $
Windows Unix */ )
! " # $ $% ! !
2
% Log 1 ( A !+ 3!+ % ) 6 2' #$% / )%&
)
' (comprehensive security information and event management ; SIEM) )% 2 7 2& #@$2* ! )0F 6
the use of shared storage versus dedicated storage. Often this means using networked storage systems. Networked storage systems provide for retention and retrieval of log data over a network, allowing users across the organization to have secure, role-based access to the shared storage devices containing the log data. Unlike directly-attached storage (e.g., a storage system dedicated to a server), networked storage systems deliver economies of scale through device consolidation, resulting in more storage capacity across the organization at a lower cost. Networked storage systems also facilitate centralized administration of storage devices and support heterogeneous computing environments (e.g., Windows and UNIX systems). Laying the Foundation for Comprehensive Security Information and Event Management (SIEM)
2
Log (event) management is the foundation for comprehensive security information and
COVER STORY
) $ 8/ %/ % % / 0 ! '% % / 1 ! 6 * !6 !'% *) $
% %% /*
% 2' #$ % / )%& (security event management ; SEM) F *' ) 2) 02 2' #$ % ( )
% ) 6 % / )%& (Security Information Management ; SIM) F *' ) ( ) 2 / !) ) * %) * 2* ' 0 ! !+ % Log /
)
' ) 2 % () !)% ) #@$ 2* > ! " ) 2) $
8 $ 0 0 SIEM 1
( A !+ % 5 / / ) 6 Log ) 6 2' #$ (Event)
/) $ ( ) % 5 E ) 6 / $
event management (SIEM). At one time, many solutions were marketed either as security event management (SEM) systems, which focused on incident response applications, or security information management (SIM) systems, which focused on auditing applications. Today, an infrastructure for log (event) management should address both of these broad categories of applications: compliance and real-time monitoring. SIEM technology provides a platform for aggregating log and event data from across the organization for management, retention and analysis.
organizations to maximize the value of the data.
Many organizations begin with a need to improve log management to meet compliance and audit requirements but quickly realize that they have many other needs which can be met by using log or event data, such as detecting external or internal attacks and improving responsiveness. Log or event data is being recognized as a wealth of intelligence information. Pooling this information to be handled by a single infrastructure enables
) $ 2 % / / 2 ) '
% Log ( )2) ! ) 2*)
2 / !) 2* / 8 * ) $ * 52 /* ) 6 Log 2' #$ % / )%& ! " +8 ( )! )
/ 2 ) )( 8% % / * 2 / 0 2 & & )
/ ! " 2) 02 & ' ) 6 Log Event "() 1 ) 6 * !+
/ $ / / ) 6 Log '
An optimal infrastructure should perform comprehensive log collection and management for the full range of use cases including: real-time threat detection and mitigation; incident investigation and forensics; compliance to regulations and standards; capacity planning, performance and uptime; evidence for legal and human resources cases; detecting and preventing IP theft; auditing and enforcing employee productivity; troubleshooting system and network problems; and auditing and enforcing IT security policy.
! !'% / + % 5 % ) 6 Log 8% ) * )
' ' * ' 8 * /* 1 2 / % ( ) % 7 & '
8 $ E ) 6 8/ ( )2 / !6 $ A 2) ! ) 2*) 2 A 2* > ( ) / 7 ()
2* > () ) 2 02 ) ) 6 2 )% ! 4 & / ) 1 A % '
2 / R) 0 IP 2 / !) 0 ( ) ! 4 7 + ) 1 ) 6 ( ) 2 2) ) 3
( ) * / " 2 / !) 0 / )%& % 8)
3
&! ' % $ *+ , -
(ILM)
% / # ) 6 Log ) *
/ + 1 2 ) 5 E ) 6 8/ 1 / + % / 2 ) 9
Through an ILM strategy, the organization aligns the business value and/or use model of the log data with the most appropriate and cost-effective storage mechanism. By looking at how the value and use of the information will change over time, organizations are empowered to deploy storage resources more effectively.
Building an Infrastructure to Achieve an Information Lifecycle Management (ILM) Strategy
3
The increased volume of log data and longer retention periods create the need for the development of an information lifecycle management (ILM) strategy for log data. Bay Computing Newsletter l 3rd Issue l 9
COVER STORY ' 4$ % / ? ) 6 (Information Lifecycle Management ; ILM) % / ' 4$ ILM + ) $ 8% 0 $ ) 6 Log ) * 25 0% ) = 8 % 5 ) 6 ! ' * !'% % / 7! 0 0 SIEM 8 % 5 ) 6
Tiered storage ( % 5
) 6 0% ) 6 )) 1 % % 5 ) * ! ) ) $ ! " !
! )% ) ' 4$ ILM 7! /* SIEM Tiered storage + ) $ ! " % ) 6 8% =6 $
_ ! " % ) 6 Log Event
) 20 2 2 )% */ / ) ) 6 * / % * * E / )%& ! ! = ! ) 2) 2*)
% 5 ) 6
Tiered storage */ ! ") 2$
2 2
/ 4 % Log 8% ) % / F ) 6 Log 2 2
/ 4 / "6 5 2 / 2 ) ) 6 F ! " * !" ) ) 6 2* */ 8% %
By combining security information and event management (SIEM) technology with tiered storage, organizations can build an infrastructure incorporating an ILM strategy. The marriage of SIEM and tiered storage matches the need for a centrally-managed, dedicated infrastructure, which can automate log and event management functions throughout the lifecycle of log (event) data and reduce the costs of security and compliance programs.
Production data: ) 6 ) ( ) / $
8 $, 2 / !) # ' 2 / !) 7 1
Backup data: ) 6 !+ ) Production data + 1 # Production data ) 2 () !
Active archive data: ) 6 !*/ ) Production data F 2 ) "6 % 5 / ( ) E ) 6 8/ 2 ( ) 8 ) % ) 6 !+ 2 / !6 $ A ) 2 % / 8 5 ) 6
Tiered storage ) 6 F "6 *) () ) 6 2 ) ) * Production data "6 % 5
)) 8 $ # ) 6 8 * + 1 2 ) "6 *) () * Backup data () Active archive data "6 5
near-line ()
))H8 $ Tiered storage " 6 ))
1 ) * % + ) $ 8% % 5 ) 6 8% 25 !)% )
/ 2 ) " ) 6 / ' )2
Tiered storage of log data also enables the implementation of best practices in log management. Log data should be stored based on the access requirements of the information, which include the stage of the data as described below. The stages of log data include: Production data, which is being actively used for realtime analysis, on-going review, and periodic audits and assessments
ILM "() 1 !*/ ) % Log ) $ 2 ) = E + % / 5
) 6 !+ Production data, Backup data Active archive data !)% ) 0 ) ) $ / ) + ( ) / 5 ) 6 ! !+ Production data () ) * ) 1 ` ) 1 82 ! (15 %() ) !+ Backup data / 5 ) * ) 15 %() * Active archive data / 5 ) * ) # 2-7 ` 8 _ 2*)8 +
/ ) + % /
1 0 ! ( A (Infrastructure Requirements)
stored on-line while data not requiring as frequent or ready access, such as back-up and active archive data, is stored near-line or offline. Well-designed tiered storage will optimize the use of storage resources, matching the required accessibility and the necessary capacity to the stage and age of the data. It will also allow secure role-based access to the log data for all stakeholders and secure deletion of the data when it is no longer required.
Active archive data, which is a sub-set of the production data that will be stored longer-term for record-keeping purposes based on regulatory, legal discovery and possible forensic requirements
As part of an ILM strategy for log data, an organization will need to determine its retention period for production, backup and active archive data based on its own policies. One of the best practices suggest that an appropriate retention period for production data is a minimum of one year plus one quarter; for back-up data, it is also a minimum of 15 months; and for active archive data, it is approximately 2 - 7+ years minimum.
With tiered storage, data that requires frequent or ready access, such as production data, is
In the next issue, we will talk about \Infrastructure Requirement^.
Backup data, which is a mirror image of the production data that may be needed in case the production data is compromised or damaged
10 l Bay Computing Newsletter l 3rd Issue
!" ) ' ) ) 6
5 ) 6 */ %6 / )%& " ) 6 2 ! 4 ) 7 6 / ) ' */ ) 6 8 *2) /8% ) * )%&
SOLUTION UPDATE
% " ISO 27001:2005 Introduction to ISO 27001:2005
, Senior Network and Security Engineer By Phakkhanat Phothongborwonphak, Senior Network and Security Engineer , Bay Computing Co., Ltd.
/ 0 0 ! ! = !( ) ! 8% = . . ./* % / + / 7 % /
) / 2) $ .=. 2550 )) 0% 7 2 2* 18 .=.2550 + ' E ( ) * / 2 ) '
) / 2) $ () 8
+ ( ) !)% )
. . . /* % / + / 7 % /
) / 2) $ F . . ./* % / + / 7 % /
) / 2) $")( 1 2 A /
'
) / 2) $ F /
' 2 2*7 6 7 6 ? 2 2 " 8 * ? 2 2 "()/* +7 % F 2 () 2 A % * / */
! ! = ) ' E 2 / !) /
' R) */ % / ! !63 ! ) 6 !+ 3> )
E () *) > F ) . . . /* % / + / 7 % /
) / 2) $ / 2 A /
R)
! ! = 8 % ) / 0 () ISO 27001:2005 F 1 2 A / )%& )
! ! = / + / 6 ISO 27001:2005 /* ()) 8
Recently, the Ministry of Information and Communication Technology (MICT) has promulgated the Computer Crime Act B.E. 2550, effective on July 18, 2007. As a result of released cyber law, many companies need to reorganize their computer systems or change their work processes in order to comply with the new Act. This Computer Crime Act is a standard that regulates the use of a computer system including users, service providers and officials. It is required that all everybody must abide by the Act; otherwise they would enact the violation against law. It is the time that IT people will look into thier systems and pre-audit their own system to protect and reduce risks of losing critical data. On top, the company can implement international standard ISO27001: 2005, which is an information security management standard that will strengthen their information system security. Let s me introduce the basic information about ISO27001: 2005 in this chapter as follows :
Bay Computing Newsletter l 3rd Issue l 11
SOLUTION UPDATE ISO 27001:2005 >
! ' 8 #>' ! ISO 27001:2005 4 ) 8 #>' 6#> ! ' 8 !
ISO IEC 27001 vs. BS 7799-2
BS 7799-2 ! " # ISO 27001: 2005 $% " &''( BS 7799-2 ) ! "*# # ISO IEC 27001:2005 "*# " 15 ( 2005 ) # + , . ISO/IEC JTC 1, SC 27
ISO and IEC
JTC 1 *4 ! Joint Technical Committee 1 # 6 * Information Technology ( *
ISO *4 ! International Organization for Standardization ! @ % @ ' $ D D " F 1947 . ! @ % @ +4 + , " *# +4 ( !
SC 27 *4 ! Subcommittee 27 # 6 * " + , # 4 IT Security Techniques
IEC *4 ! International Electrotechnical Commission ! @ %@ ' $ D D *! " F 1906 . ! @ % @ +4 + , 8 6 KLD )NNP . . ( *
Information Security
! 8 ; 3 ! ) #
Confidentiality = # > Integrity ?> # ?# # > Availability + # " "*# # >
@ ISO IEC ) # ( . !( ?> ! Member Bodies ) Q' !>" !( Member Bodies . ! ( Member Bodies ! ! " 8 + , ! > ! ( #
ISO27001: 2005 an information security management system standard Before we dive into the details of information security management system, ISO27001: 2005, letRs get to know the management organization which collaborates and regulates this well-known standard.
Introduction to ISO IEC 27001
ISO IEC 27001 Information Security Management
ISO and IEC
ISO shorts for International Organization for Standardization and established in Geneva, Switzerland in 1947 to support international exchange standard. IEC shorts for International Electrotechnical Commission and was established in Geneva, Switzerland in 1906 to develop technology, electrical device standard. Both ISO and IEC have gained supports from WMember BodiesX which participated in the development of the standard with the technical groups. Thailand is also a part the Member Bodies. ISO IEC 27001 vs. BS 7799-2
BS 7799-2 is an information management system standard which lays a blueprint for ISO27001: 2005. At the present, BS 7799-2 is no longer used. On the other hand, ISO27001: 2005 was firstly adopted on October 15, 2005 and developed by ISO/IEC JTC 1, SC 27. JTC 1 stands for Joint Technical Committee 1, which is responsible for all types of information technology standards. 12 l Bay Computing Newsletter l 3rd Issue
SOLUTION UPDATE
System ISMS 4 $% ?( D +4 *! 4 D ) ! ! Q 4 " ;!" ' 8 6 ! P +4 # > D . ISO 27001:2005 ) # 8 ! ( ! D # ' 8 (Set of Information Security Requirements) $% ( !"> # 4-8 "
Annex A $% ) # Control objectives Controls . ! Annex A 8 ' ISO 27002 (17799:2005) Information Security Standards $% ISO 27002 !> 4 "*#" ' (implementation guidance and other information) Benefits of ISO 27001:2005
ISO 27001:2005 "*#" ' +4 "*#" 8 " (Certificate) . 4 = 4 D ] # " # 4-8 D ? 4 8 ) ! ' (Certification Body) " # # ' +4 " ! ! ) Q $ $# " %@ !>
. # D # ( D ! D '8 # 8 4 ! D 8 ^( ' ! D
' ! Requirement !>" # 4-8 # " ISO 27001:2005 ) # !
SC 27 stands for Subcommittee 27, which is responsible for developing a standard relating to IT security techniques. Information Security
. * D ' ) # 4 ' 8 ISO 27001:2005
Competitive ? + . " ! # ^( ') # Interoperability 8 ! + D D + @ 8 * ' Assurance ' *4 " (K + 8 8 ! ! Due Diligence ? 6 @ "' 8 + ! ) # Bench Marking ?"*#" "' 4 8 ! 4 + ) # Awareness 8" #+ # "' ?% # > D
requirement. The organizations will need to comply to the standard topic 4-8 and then submit a request to the WCertification BodyX and auditors will visit the site and check. However, the complexity of the information security management system depends on:
Information security consists of 3 principles:
Confidentiality - keep the critical and sensitive data safely and not allow unauthorized access. Integrity - the accuracy and completeness of information. Availability - prompt and available when needed. Introduction to ISO IEC 27001
ISO IEC 27001 Information Security Management System (ISMS) is a standard guideline that aimed to standardize the information security management system development suitable for both sizable and small organizations. It helps the organizations plan, assess, evaluate and protect the information system security. The ISO 27001: 2005 specifies the set of information security requirements in the topic 4-8.
Organization structure and size. Organization requirements and objectives. Necessary steps that each organization needs to take to achieve the information security. OrganizationRs business operations.
In addition to topic 4-8, the ISO 27001: 2005 contains the Annex A, which consists of Control objective and Control list. This Annex A is precisely aligned with ISO 27002 (17799: 2005), which is a manual for information security management system implementation guidance and other information. Benefits of ISO 27001:2005
The benefits of implemeting the information security management system or ISO27001:2005 to your organization are:
To receive an ISO27001: 2005 certificate, the information system will be audited and ensure that it meets the Bay Computing Newsletter l 3rd Issue l 13
SOLUTION UPDATE
ISO 27005 - Risk Management BS 17799-3:2006 - Risk Management
The PDCA Model
ISO 27001:2005 "*# Plan-Do-Check-Act (PDCA Model) " ' ( "*# #
Alignment " ( ' P # > D
ISO 27001:2005 Family of Standard
Family ISO 27001:2005 # ! } @ ( # 4 ) # "*# # )
ISO 27001 - Audit Requirements ISO 27002 - Code of Practice (ISO 17799:2005) ISO 27003 - Implementation Guidance ISO 27004 - Measurement
Competitive Advantages. Interoperability - improved and facilitate the work process in aspect of coordinating with partners as the procedures is more articulate. Assurance - Increasing trusts in system qualities and department operations from management. Due Diligence- assessing employee and department performance. Benchmarking - method of assessing employeeRs salary increment and promotion. Awareness - making employees understand and realize the importance of information system security. Alignment - guiding and checking controls used for information system security protection.
ISO 27001:2005 Family of Standard ISO27001: 2005 family consists of:
ISO 27001 - Audit Requirements ISO 27002 - Code of Practice (ISO 17799:2005) ISO 27003 - Implementation Guidance ISO 27004 - Measurement ISO 27005 - Risk Management
14 l Bay Computing Newsletter l 3rd Issue
PLAN (Establish the ISMS) ' 8 . # > ?( D P @ # ( = # > " # # ?( D . D DO (Implement, operate, and maintain your ISMS) 8 ] . # > ( @ 8 CHECK (Monitor, measure, audit, and review your ISMS) 6 6 8 . # > ?( D 8 ! 6#> D +4 "*#" ( #) . # > ACT (Corrective and preventive actions and continually improve your ISMS) ( * P #) # 6 + % @ ) #
BS 17799-3:2006 - Risk Management Please note that the standard in bold is the ones that are already adopted.
The PDCA Model
ISO27001: 2005 adopts the Plan-Do-Check-Act (PDCA Model) for development. The details are as follows:
PLAN (Establish the ISMS) - formulating information security policy, which consists of objectives, procedures regarding risk management and information system security adjustment. This must be aligned with the organizationRs objectives and policy. DO (Implement, operate, and maintain your ISMS) operating in accordance with the information system security policy, controls, processes and procedures. CHECK (Monitor, measure, audit, and review your ISMS) - evaluating against the information system security policy, objectives; producing reports for policy amendment. ACT (Corrective and preventive actions and continually improve your ISMS) - proactively adjusting and eliminating mistakes according to the reports.
Bay Computing Newsletter l 3rd Issue l 15
SOLUTION UPDATE
16 l Bay Computing Newsletter l 3rd Issue