Opinion

Opinion: Protective monitoring the key to keeping public sector information private

by Ross Brewer, vice president and managing director, international markets, LogRhythm

When the US Military suffered a data leak regarding operations in Afghanistan in July last year, it resulted in dramatic headlines around the world. The leak came hot on the heels of a less high profile, yet equally serious, incident in the UK when a former MI6 IT worker was convicted of stealing more than 7,000 files while working at the headquarters of the Secret Intelligence Service.

If two of the world's most secure organisations, both of which have highly sophisticated technology at their disposal can become victims of a data breach, what hope do other public organisations have? Any data breach is serious, but in the public sector, where organisations typically hold sensitive information from children-at-risk lists to criminal records, a data leak could trigger a media frenzy, impact public safety and even incur a fine of up to £500,000 from the Information Commissioner's Office.

Information theft is nothing new, however the days of unscrupulous individuals having to physically print off reams of data and smuggle it out of the office when no-one was looking are long gone. 

Today, information is susceptible to more discreet methods of theft, for example, it can be emailed to an external account or loaded onto a removable storage device such as a memory stick or CD which is easy to conceal and remove from a building without anyone batting an yelid.

Unless such unauthorised activity is detected as it happens, data breaches will continue to occur and won't be discovered until long after the event, when the damage has already been done.  

The channel has a key part to play in helping public sector organisations cope with the ever-evolving security landscape as well as educating them about how new regulations will impact their security investments. For example, CESG, the UK Government's National Technical Authority for Information Assurance, has introduced the Good Practice Guide 13 (GPG 13) Protective Monitoring framework which stipulates that public sector organisations must continually monitor their IT systems in order to spot unwanted or unusual activity. It also prescribes how this can be done in the most efficient and effective manner.

Included among the GPG 13 recommendations is the need to monitor all ICT-related activity in real-time. It also prescribes that an organisation must be alerted on any irregular behaviour (for example, a user attempting to download an entire database) as soon as it happens.

But how can an organisation with already stretched resources monitor for such activity? Every IT related activity - from an individual tapping on a keyboard to a software program running in the background - creates a piece of log data. When pieced together, this log data provides a fingerprint of activity. However with millions of pieces of log data churned out on a daily basis, monitoring and reviewing this information to see what is going on can take days or even weeks - long after any dishonest or anomalous behaviour has taken place.

Channel players have an opportunity to reduce this compliance burden by offering public sector organisations a way to simplify and speed up this monitoring process, with solutions that automatically monitor and secure all activity logs, while also reporting and alerting on activities that warrant attention.  

Centralised logging and Security Information and Event Management (SIEM) solutions are ideal for these requirements and can also provide the added advantage of supporting regulations such as Payment Card Industry Data Security Standard (PCI DSS) and the Government Connect Secure Extranet Code of Connection (GCSX/ CoCo) which also insist organisations monitor and report on IT network activity.

These technologies add real value for resellers as they deliver  much more than just compliance. By monitoring activity across an organisation's entire infrastructure, they spot and thwart any kind of unauthorised activity regardless of whether it is related to specific regulatory requirements. This ability to pinpoint weakness and inefficiency is extremely valuable to channel partners, who can show their true strategic value by recommending complementary solutions to customers. It also means they can explore business opportunities with already compliant organisations, which want to apply best practice procedures across their whole infrastructures.

Cyber crime is always going to be a risk to organisations. However, by utilising technology that is capable of catching the perpetrators red-handed, immediate action can be taken to minimise the impact of - or even prevent - data breaches.

It is up to the channel to stress the critical role that Protective Monitoring plays in keeping networks safe and compliant, taking the legwork out of compliance and providing vital intelligence into the effectiveness of everyday IT operations. It shouldn't merely be seen as a regulatory tick in the box, instead it's the eyes and ears of the IT network - keeping an ever present vigil over unwanted behaviour.

This was first published in June 2011

Join the conversation Comment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.