Spain Breaks Global Money Laundering Ring

Spanish authorities have arrested twenty people suspected of having facilitated an international money laundering operation through the sale of drugs. The investigation was initially launched in May 2008, when Police became suspicious over several substantial transfers of money to Colombia. Police reports suggest that the group was responsible for transferring in excess of 3 million euros during 2007 and 2008, which was sent from Spain to bank accounts in China, Panama, Venezuela and the United States and were eventually collated at a fake dentistry foundation in Colombia. The Police statement went on to say that the suspected ringleader of the Colombian network was detained by US police in Miami, whilst the remaining suspects were detained by Spanish police in raids carried out across Spain. At the same time, the Police confiscated 5 vehicles; 32 mobile telephones; a quantity of cocaine; 6 fake passports and other documentation.

How to Ensure That Your Risk Management Strategy is Complete

Many companies embark on their risk management strategies from a single perspective, and do little more than put automated tools in place that will monitor activities for patterns and trends, and alert appropriate personnel when an abnormal or out of the ordinary event occurs. 

However, risk management is not nearly that simple.  Related strategies are complex and multi-faceted.  Even the slightest oversight can put sensitive or confidential data in jeopardy – and result in stiff monetary penalties or negative impact to the company’s image and reputation.  So, in order to ensure optimum security of their IT infrastructure, organizations must make their risk management initiatives as comprehensive as possible. 

A truly complete risk management strategy must include the following steps:

• Risk assessment.  Identify all probable threats, and prioritize them based on their likelihood and their potential impact.
• Asset audit.  Build a list of all information assets, including databases, applications, files, and other sources that contain data that may subject to breach.  Carefully evaluate each, and assess their vulnerability to an attack.
• Process definition. Create and document the procedures for the ongoing monitoring and analysis of all software, hardware, and virtual information assets.  These defined activities must be readily accessible to and clearly understandable by all key stakeholders.  They must also be strictly enforced, with specific penalties outlined for those who put information at risk by failing to adhere to written guidelines. 
• Tool selection.  Determine what types of technology solutions may be needed, and evaluate and select a suite of automated tools to assist in the monitoring and alerting process. 
• Incident response.  Define step-by-step workflows for responding to and investigating (when needed) a potential breach.  This must not only include a list of all required tasks and activities, but rigid timelines for executing them. 
• Assignment of resources.  Determine who will be responsible for the various aspects of risk management, and clearly highlight the roles and responsibilities of each key stakeholder.  Be sure to define a chain of command, as well as a contingency or succession plan to minimize disruption to risk management when assigned resources are unavailable, or when they leave the company. 

The last, and perhaps most important, step is ongoing enhancement.  Continuously test and evaluate the various components of the strategy, including tools and technologies being utilized, and make refinements as needed.  This is particularly important after the detection of a breach event, when a post-response de-brief can help facilitate the creation of best practices (for those processes that proved to be effective) and result in lessons learned (for those procedures that did not work). 

Leveraging the NIST Framework for Effective Risk Management

Risk management has become a key priority for many companies.  Yet, few really understand what a comprehensive risk management strategy entails, or how to effectively implement one across their entire enterprise. 

That’s why many businesses are turning to the National Institute of Standards and Technology (NIST) for guidance.  NIST has designed a methodology for implementing comprehensive and consistent risk management guidelines and processes throughout the federal government.  The goal is to maximize protection of classified information contained within IT systems and services by ensuring that common tools, solutions, and procedures are deployed and utilized among all agencies.  At the same time, the NIST methodology strives to create a secure technology environment, without hindering the needed information sharing between federal, state, and local offices. 

Because it is so comprehensive, corporations are seeking to leverage this framework for their own risk management purposes.  For example, the NIST approach has already taken into consideration all the factors that have put information systems at greater risk than ever before, including:

• The growing complexity of IT architectures
• The increased sophistication of cyber criminals
• The rising number of “virtual” assets that need to be protected
• The need to balance security with real-time collaboration and data access and sharing requirements

Additionally, the NIST technique utilizes a phased approach to risk management that can act as a guide to other companies, helping them take the needed steps to implement true, enterprise-wide risk management, such as:

• Defining and measure existing risks
• Prioritizing threats based on likelihood, extend of potential damage, and acceptability
• Identifying those staff members who will be responsible for risk management, and outlining their roles
• Selecting, purchasing, and deploying the needed tools
• Configuring all systems, databases, and services for maximum protection
• Setting, documenting and enforcing security monitoring procedures
• Creating response processes to be executed in the event of a breach
• Conducting ongoing auditing and analysis of current procedures, and continuous refinement as needed

And, because NIST created their recommendations to address broad, nationwide security requirements, as well as the needs of various individual federal agencies, they offer maximum flexibility.  This is particularly important for large, global organizations that need to standardize its risk management activities, while allowing each department, office, or business unit to adjust techniques as needed to satisfy unique security requirements. 

Risk management initiatives require a tremendous amount of time and resources.  So, instead of starting from scratch, companies should look to NIST, and use their existing framework as the basis for their projects.  This will accelerate the development and implementation of risk management strategies, while ensuring success through the use of proven techniques and methodologies.

Real-Time Correlation: What It Is and How It Can Enhance Security

As organizations begin to place a greater emphasis on the development and implementation of broad-reaching IT security strategies, they are receiving a rapidly increasing number of alerts from the various technologies and devices they have deployed.   As a result, they faced with the challenge of effectively managing, prioritizing, and responding to them. 

Real-time correlation is an emerging technique that takes the raw data generated by potential security events, and transforms it into information that is easy to interpret, and more importantly – actionable. 

Most security management tools and methodologies trigger alerts based on specific actions taken by system users.  However, they don’t necessarily interpret what those activities mean, and whether or not they require an immediate investigation.  That responsibility lies with systems administrators and others who oversee IT protection. 

Additionally, the disparate activities that make up breaches – and the data that they generate – are often spread out over numerous applications and devices, making them more difficult to detect.  Therefore, stakeholders must manually sift through multiple logs, and analyze the related event information to make sense of it all.  

On the other hand, real-time correlation extends the capabilities of “point” systems, using a sophisticated algorithm that consolidates security data from various solutions, mines it for sequential patterns, and generates intelligence about the safety status of the entire network.  It dynamically identifies vital trends in cryptic security event information, and leverages built-in rules to instantly translate those trends into something meaningful and useful.  As a result, it can help detect and pinpoint the root cause of attacks in progress, and anticipate the next steps in multi-stage attacks.   

What are the primary benefits of this approach? With real-time correlation, companies can:

• Obtain a more comprehensive and holistic security status across an entire infrastructure
• Accelerate the discovery of security breaches in progress
• Reduce the time to respond to attacks by more rapidly initiating countermeasures or launching investigations
• More effectively identify and react to multi-phase or multi-prong attacks
• Minimize the number of false positive alerts

As hackers and other cyber-criminals become smarter, and acquire the knowledge and skills needed to divert traditional security management solutions, the attacks they launch will become more sophisticated and harder to expose.  Therefore, the need for real-time event correlation will become more and more critical in order for companies to mitigate all potential risks, and maintain full protection across their network from end to end.

Alerts: Avoiding False Positives

Every day, security analysts and the other professionals responsible for infrastructure monitoring and protection receive a series of alerts from the various hardware and software components that make up their technology architecture.  The key challenge lies in prioritizing these alerts, and determining which ones require immediate attention. 

 

False positives, incidents where security alerts are triggered even though no breach event has actually occurred, are becoming more and more common.  Many intrusion detection systems are designed to uncover even the slightest unauthorized activity, looking not just for actual intrusions, but for any possible intrusion.  As a result, they are often configured in such a way that a high number of false positives are also generated in addition to valid alerts.  These can cost companies a tremendous amount of time and money, and distract incident responders from those alerts that really do require further investigation. 

 

However, industry experts recommend several ways to reduce the number of false positives.  These suggestions include:

 

Fine-tuning systems

Many security systems are, by default, extremely sensitive.  But, their configurations can often be easily adjusted, to allow for more rigid definition of the criteria and thresholds that will trigger an alert.  Begin by reviewing past audit logs to identify those actions that most often result in false positives, and set system controls to ignore those activities.   

 

Using intelligent event correlation

Many experts believe that the future of enterprise security monitoring lies in event correlation, the ability for systems to leverage human-type intelligence to more effectively weed out false positives.  For example, multiple failed logins alone may not be enough to warrant a full-blown investigation.  Many of the more advanced systems will be able to dynamically perform further analysis and gather additional evidence, such as determining which IP address the logins were attempted from, before triggering an alert. 

 

Applying visualization techniques

 

A study conducted by the Department of Computer Science at the University of Virginia suggests that – particularly in massive data sets – the textual relaying of suspicious activity data alone can create an unacceptable number of false positives.  The report goes on to claim that by allowing system administrators and security analysts to visually analyze the same information using sophisticated graphics, it will be easier for them to identify the activity that represents low or no threat, and allow for faster detection of true malfunctions and breaches.  

 

Conducting more in-depth training

While false alarms cannot be eliminated completely, they can be more rapidly dismissed.  By training incident response teams to better tell the difference between a real alert and a false one, companies can avoid wasting precious staff time and incurring unnecessary expenditures.

How Early Breach Detection Can Prevent Major Losses

Sometimes, attempted incidents of fraud are unavoidable, no matter how hard a company tries to prohibit them.  In the past, before significant advances in technology, companies had little choice but to simply react to suspicious events long after they occurred.  But today, many experts believe that businesses have the tools at their disposal to take a more proactive approach to risk management.

It’s no secret that early detection can mean the difference between a minimal disturbance and a major disaster.  The sooner fraud is caught and stopped, the less damage a company is likely to experience.  For example, in the mid-1990’s, a trader at

Japan’s Sumitomo Trading Company perpetrated over $2.6 billion worth of fraud.  The offenses were committed over the course of a decade and a half, but had the activity been detected in the first year, losses could have been as little at $400,000.  

This is a particularly important when viewed from the perspective of a recent report issued by the Rollins Center for eBusiness, which claims that $1 in fraud-related expenses reduces net income by the same amount.  And because organizations have average profit margins of ten to twenty percent, additional revenue of five to ten times the amount of the fraud must be generated in order to restore net income to its pre-fraud level.

 

By identifying and diverting a potential breach in the earliest stages, companies can preserve the integrity of the data they manage, maintain profitability, save their reputation, protect their clients, and learn valuable lessons for the future.

 

But, according to a recent PriceWaterhouseCoopers survey, only about five percent of fraud and other white collar crimes are detected by active risk management strategies.

 

It’s obvious that early detection is critical.  But, what are some of the most effective methods, and how do they work?

• Behavior pattern analysis.  In order to immediately uncover an “out of the ordinary” action, you’ll first need to understand what constitutes “normal” activity.  By analyzing historical data to determine how authorized system users typically access information and perform transactions, companies can make suspicious activity clearer and easier to detect. 
• Identification of potential types of fraud and their symptoms.  When you know what you’re looking for, it’s easier to find.  Many companies have called in third party fraud consultants, who outline the types of events that are most likely to happen and what sequence of activities usually leads up to them.  This helps companies anticipate what may take place in the early stages of a breach, so they can begin their investigations and take corrective action much earlier. 
• Scoring.  Suspicious events need to be prioritized, in order to ensure optimum efficiency and effectiveness in investigations.  By scoring out of the ordinary activity based on its likelihood to lead to fraud, companies can allocate resources accordingly.  
• Real-time alerts.  Putting a “chain of command” into place, and implementing a software system that will automatically notify these key staff members when abnormal activity takes place will ensure the most rapid response possible, and enable the start of an immediate investigation if deemed necessary.

The Most Effective Incident Response Techniques

Many companies consider their log management strategy and related systems and techniques to be the most important weapon in their fight against fraud.  But, implementing IT auditing measures through the use of log management is just the first step.  In order to most effectively combat fraud, companies must have the proper procedures in place for handling incidents once they occur.  The speed and accuracy with which an organization responds can mean the difference between losses that are minimal, and those that are significant. 

 

What are some of the best ways to ensure swift, comprehensive incident response? 

 

Assemble a team

Companies who designate specific staff members – in advance – to address incidents once they are detected will experience less confusion and delay.  By clearly outlining who is responsible for what operational, decision-making, and investigative tasks, you can dramatically accelerate your incident response and resolution times.   

 

Document policies

Once everyone knows what they are responsible for in the case of a security event, they then need guidelines as to how assigned tasks should be carried out.  Formal, fully document response procedures will ensure that all actions taken are decisive, correct, and effective so losses can be contained as quickly as possible. 

 

Consult with external parties immediately

Many companies make the mistake of contacting their legal counsel or local law enforcement agencies after the investigation has been completed.  However, it is best to involve them in your evidence-gathering as soon as an incident occurs, since they can look at supporting data in an unbiased and experienced manner. 

 

Utilize live response

The size and complexity of today’s technology architectures, combined with the increasing volume of malicious activity, have made it more difficult than ever to gather forensic evidence when a breach takes place.  However, there are now tools on the market that allow for “live response” – the collection and analysis of system memory.  This approach not only minimizes any impact on system performance during the evidence gathering process, it allows investigators to more rapidly examine data to find the supporting data they need. 

 

Conduct ongoing assessments

Each time an incident occurs, have your team gather afterwards to discuss what areas of your incident response policy worked, and which ones didn’t. This will allow for ongoing learning and continuous enhancement, so policies can refined to be as effective as possible. 

 

Be proactive

Of course, the best defense against fraud is to proactively prevent it.  By analyzing log data in great detail to gain a full understanding of the patterns and trends that represent “normal” activity, companies can instantly uncover the peculiar or out-of-the-ordinary actions that lead up to a security event.  Therefore, they can detect and stop breaches before they happen – instead of simply reacting to them once they have already occurred. 

Appliance-Based vs. Software-Based Log Management: Which is Better?

When it comes to log management few can agree – which is better, the appliance-based approach, or software-based solutions? 

 

Software, by nature, is more flexible.  It’s easier to set up and configure.  Additionally, it comes with none of the storage demands that are typical of hardware-based solutions.  On the other-hand, appliance-based log management solutions take up valuable real estate.  While larger companies may have the extra office space to spare, many small and mid-sized companies do not.  This makes software-based log management the better choice for companies that plan to set up their log management infrastructure across multiple remote locations. 

Additionally, they are limited in scope.  The typical “log collector boxes” will eventually max out, many experts believe, as the quantity of log data that companies must collect continues to grow at a rapid pace.  A 2007 study conducted by the SANS Institute, the world’s largest and most trusted provider of internet security training and certification shows that the majority of companies today (57 percent) store logs from as many as 500 different sources.  

And, appliance-based log management often requires significant investments in proprietary hardware.  This can drive up implementation and administration costs, hinder the portability and sharing of log event data, and negatively impact network performance.  It can also make access to data difficult for third parties, which may be needed in the event of an investigation into a potential security breach. 

 

But, there are also advantages to appliance-based log management systems.  Some industry pundits feel that software-based solutions can create yet another disparate application – particularly in large enterprises where technology environments are already more dispersed than they should be.  The SANS report cites that more than 55 percent of Global 2000 companies rely on hardware-based solutions for their log management needs, and this is likely the reason. 

 

Total cost of ownership can also be much lower with appliance-based solutions, since they are turnkey systems.  Software-based log management requires customers to purchase a variety of other components, including the server hardware and operating system, and storage devices.  This raises significant concerns about security, since multiple layers of the infrastructure must be protected, as opposed to just a single appliance.  And, much time and effort must be spent installing and integrating these various components, making appliance-based deployments and roll-outs much, much faster since they are usually “plug and play”.  

 

Others believe that software-based log management is highly prone to problems and inconsistencies.  In fact, in an article published in the ISSA Journal, David Ting states that, “deploying a software-based security application is a painful process ripe with opportunities for error”.  But, appliance-based solutions are dedicated to performing a single task – collecting and organizing log data – and are therefore more reliable. 

 

However, as applicance based vendors are popping up on daily basis, companies are starting to rethink applicances all together.  Log Management in particular, is storage hungry and companies have already commited storage infrastructure for many of their enterprise applications, why not leverage that investment?

 

You can always find arguments for or against one approach over the other.  However, which is better truly depends on each individual company’s log management strategy, and the resources it has available to dedicate to executing and supporting that strategy.  When choosing a log management solution, investigate both methods thoroughly to determine which is right for you.

Traps to Avoid When Implementing Log Management

Not all log management efforts are successful.  Without proper planning, these initiatives are likely to fail – or at the very least, produce less than desired results. 

 

Here are some pitfalls to avoid when setting and executing your log management strategy:

 

Disconnects between IT and compliance staff

When it comes to log management, IT and compliance staff must work closely together.  Each group needs to understand the other’s role in the process in order for the strategy to be comprehensive and successful.  For example, without open collaboration, IT staff will lack understanding of the regulatory requirements that drive log management initiatives in the first place, while compliance professionals will have limited insight into the technology issues that impact effective log data collection, storage, and analysis.

 

Collecting data before formal policies are put into place

Log management should be viewed as a rigid business discipline.  Formal policies must be set and documented before data collection and aggregation begin.  These guidelines should not only provide details about which log data should be gathered, how it should be stored, and how frequently it should be analyzed, they also must outline the persons responsible for various aspects of log management, as well as the steps that must be taken when suspicious activity is detected.  Otherwise, log management procedures will be fragmented and disjointed – and therefore, ineffective. 

 

Focusing only on events in the “security” log 

Many log management strategies focus on identifying suspicious events within system security logs only.  However, this provides only a limited view of all network and application activity, and may cause companies to overlook potential incidents that require further investigation.  Application logs and other log types must also be reviewed on a regular basis, to provide the most accurate picture. 

 

Collecting too much

While gathering log data from every technology system within the enterprise may seem like the best approach (some companies feel more comfortable doing this, to ensure that nothing is overlooked), it will never work if event logs are not prioritized.   Simply taking every log file, combining them all together, and reviewing them with little direction will make it nearly impossible to find what needs to be found.  But, by knowing where to look first, then moving on logically to other related system logs, companies can effectively gather the system activity intelligence they need. 

 

Lack of data consolidation

Log management projects that call for the collection and analysis of log data on a device-by-device basis provide limited insight into enterprise-wide security incidents. Reviewing log event data one system at a time is particularly ineffective when it comes to obtaining a comprehensive view of user activity, or conducting forensic investigations once a possible breach has been identified. 

 

Insufficient testing

Log management infrastructures must be thoroughly tested, not just before initial deployment, but continuously.  Many companies discontinue testing after the solution has been put into production.  But, as new business systems are added to their technology environment, the impact of these applications, and the log data that will be collected from them, must be assessed.  Even if no changes to the infrastructure are made, organizations should periodically test features such as real-time alerts, to ensure all is in proper working order.

Best Practices in Log Management

For many organizations, log management is an important business discipline – perhaps one of the most critical.  But to date, there has been little consistency in the way companies design and implement their log management programs.  And, none of the regulatory bodies that require log management as part of compliance have clearly outlined what the most successful log management strategies entail. 

 

However, many industry experts have offered guidance and advice when it comes to log management. Some of the “best practices” cited include: 

 

Data collection

Companies have deployed countless business systems.  But, which ones should they focus most on when collecting and analyzing log event data?  Of course, logs should be gathered from any databases that house information that is protected by legislation (i.e. financial data for Sarbanes Oxley, or patient data for HIPAA).  But, what many companies forget are those systems that provide access to those applications (such as firewalls or software for virtual private networks), as well as solutions that secure them (for examples, IDS, security scans, antivirus packages).   By gathering log event information from all of these sources, companies can gain the most complete insight into how protected data is being retrieved and used. 

 

Data consolidation and centralization

Log data is collected from a variety of diverse sources, often in varying formats.  This makes it difficult for those overseeing log management to understand what’s happening from an enterprise-wide perspective.  By collecting, aggregating, and centralizing all log even data in a single location, regardless of its source, companies can make the information much easier to access, review, and interpret. 

 

Retention and archiving

The key to providing the kind of audit trails needed for regulatory compliance is effective and comprehensive storage of log event data.  Information retention policies vary from company to company, so regulatory guidelines should be referred to when determining how long log data should be retained for.  Additionally, log data archives need to be protected from unauthorized access, as well as loss due to hardware failures or system outages.  Role-based security, daily backups, and redundant servers should be employed to preserve the integrity of vital log event data at all times.  

 

Reporting and analysis

This, perhaps, is the most critical component of log management, providing the mechanisms for identifying breaches in progress known as real time threat management, and even proactively preventing them before they cause widespread damage.  But, before questionable activities can be detected, patterns and trends in log data must be analyzed to determine what activity is “normal”.  Once that has been clearly understood, log data reports must be distributed to key stakeholders, and thoroughly reviewed on a very frequent basis.

 

Policy documentation

But, perhaps the key best practice when it comes to log management is clear definition – and supporting documentation – of the processes involved.  In order to develop and enforce rigid log management across an entire organization, companies must outline workflows, assign owners to various tasks and responsibilities, and state – and impose – penalties for anyone who circumvents the outlined procedures.