Q: As an IT administrator, I’m often considering how to make the most of all security solutions that my organization needs to run smoothly, especially given the cost of compliance solutions. One item I’d like feedback on is how I can leverage the log-management product I’ve bought for compliance to protect the network against insider threats as well. If I have a log management solution in place, will that be sufficient to protect my sensitive data? What other best practices are there, and can you provide a few real-world examples?

A: Information security tools are often split into two categories – detective and preventive. The latter should help prevent attacks, as the name implies, while the former gives ways to monitor and find security events. Log management is a detective control only, so it is not sufficient on its own to protect sensitive data. You still need things like access controls and authentication to prevent unauthorized access and stop attacks. However, detective controls significantly enhance preventive controls because they warn of impending attacks (e.g., suspicious activity and surveillance) and alert you to attacks even if they are failing. Log management therefore has both direct and indirect applications that will help with compliance as well as insider attacks.

A direct method of log management usually involves collection of known logs into a centralized and secure space with long-term retention capabilities to satisfy requirements like “Secure and Central Log Collection” (PCI Requirement 10.5). Indirect methods can involve anything related to monitoring or auditing activities. This means everything from authentication and authorization to encryption to change management could benefit from log management. File Integrity Monitoring, for example (PCI Requirements 10.2.2, 10.5.5 and 11.5), depends on a log management back-end. Some may be surprised that virtually all encryption has a significant log-management component, but monitoring access and change related to keys and signatures is essential to good encryption management. Take, for example, an insider who modifies or replaces a key. Even the reverse can be important; a key that has not been rotated in a timely fashion (some rotations are meant to happen weekly) indicates a potential exposure or suspicious activity.

Best practices involve the following decisions in both planning and implementing your logging solution to meet compliance objectives:

1) Data should be normalized yet allow generation of daily summary reports for specific roles. This enables data centralization without loss of the ability to manage the details of the data at a localized and granular level. Normalization should be done with regard to long-term archiving and later review as well.

2) Specific security events should be flagged with real-time alerts, which are sent to incident responders. Compliance requirements have various terms such as “compromise,” “suspicious activity,” and “red flags,” but they all emphasize the need to both stop and document unauthorized access to sensitive data. Specific security events will depend on your business model and data, but the typical things to watch for are unusual changes to regular patterns. These often are considered evidence of fraud.

3) Make log management part of the business decision. When sensitive data is spread out, the cost of protecting it is much higher and the complexity of logging and monitoring also escalates. Is there a more efficient and therefore more secure approach to doing business? Will the cost of consolidating all the logs from various systems cost more than consolidating the systems to be logged?

A log management solution can significantly enhance an environment in both prevention and detection of attacks, helping you both achieve compliance and protect the network against insider threats.

This appeared on Network World’s Insider Threat Opinion Column

An article by the AP suggests that Texas border controls did not prevent a new ant from arriving by cargo ship. Now the Raspberry Ant (named after one of the first American exterminators to battle them) is showing an amazing resilience and a taste for electronics:

They have ruined pumps at sewage pumping stations, fouled computers and at least one homeowner’s gas meter, and caused fire alarms to malfunction. They have been spotted at NASA’s Johnson Space Center and close to Hobby Airport, though they haven’t caused any major problems there yet.

Exterminators say calls from frustrated homeowners and businesses are increasing because the ants – which are starting to emerge by the billions with the onset of the warm, humid season – appear to be resistant to over-the-counter ant killers.

“The population built up so high that typical ant controls simply did no good,” said Jason Meyers, an A&M doctoral student who is writing his dissertation on the one-eighth-inch-long ant.

It’s not enough just to kill the queen. Experts say each colony has multiple queens that have to be taken out.

At the same time, the ants aren’t taking the bait usually left out in traps, according to exterminators, who want the Environmental Protection Agency to loosen restrictions on the use of more powerful pesticides.

And when you do kill these ants, the survivors turn it to their advantage: They pile up the dead, sometimes using them as a bridge to cross safely over surfaces treated with pesticide.

One would think this natural evasion to chemicals might make people think twice before unleashing more pesticide, but I guess we will see. The EPA, Texas Department of Agriculture and A&M entomologists are apparently researching solutions. Perhaps the Bush administration instead should fly in and just declare “mission accomplished”.

PoliceOne says that a 60% percent success rate is far (20%) below expectations:

Los Angeles’ $15 million high-tech camera system designed to catch red-light runners let four in 10 violators off the hook last year because the drivers couldn’t be identified, according to police data.

In other words, the cameras are highlighting another control gap — 40% of drivers suspected of violating a traffic law also operate without proper registration:

Police say they have made progress in the past few months in finding the drivers and ticketing them. They also note that glare from windshields and license plates interferes with about 2 percent of the images.

But they emphasize it’s not the technology that is allowing violators to get away with running red lights. By far the biggest obstacle to ticketing violators, they say, has been outdated or unidentifiable car registrations.

Security metrics are funny that way. You might find 40% of your suspects are getting away because they are using bogus identities, but this is not just a 40% failure. Knowing that bogus identities are prevalent is far better than not knowing and so the system is actually performing an important detection role where none existed prior. This is not a positive spin as much as an example of surveillance systems giving better information about identity controls and weaknesses.