Data Security

Risk Analysis Tools for Data Security

  • Home
  • Risk Assessment
  • Data Security
Data Security SIEM 9th Oct 2019

Data Security Management

Data Security and SIEM

Part of any cloud migration planning is the process of identifying and classifying data across the entire business.

From a security perspective this exercise helps to inform the business about what levels of security need to apply to maintain the CIA triad of security.
Leg Concern Risk
1 Confidentiality what data will harm the business if it is made available to non authorised users
2 Integrity what data will harm the business if it is destroyed, altered, lost
3 Availability what data will harm the business if it is unavailable when required
Foundation Least privilege minimal access to data that is required to fulfil role

Data Purpose

Define objectives of data security regulatory requirement, general security, business strategy
define types of data line of business database, CRM database, working templates/forms, logs
Define use cases for data how is data used, what is its life-cycle

Classify Data

Process Observability required
Identify where, what is the data?
Assess what security controls should apply?
Validate do security controls work as expected?
Monitor visibility of changes to data and data sources and controls

Security Risk Classification

A simple but straigtforward approach is to define a risk category such as:

low, medium, high risk (or 0,1,2)

then create a matrix with headings of Data,Confidentiality,Integrity,Availability,High Watermark and a list of data types for the rows.

Please rush me your security matrix

It is not a good use of resources to apply the same level of security to all data but it is more efficient to focus on data that is identified as high value to the business. A matrix can help to identity which data should have the highest focus and greatest effort for protection.

Traditional thinking

Build defence in depth with multi-layers of protection on the reasoning to prevent an attacker from getting in.

Modern thinking

The Internet brings continuous global connectivity. Email attachments mean that an attacker can enter the network at any time. It is not a question of how to prevent an attack but that an attack will occur. Businesses need to make sure that the blast radius is contained to the least possible degree by making it as difficult as possible to gain access beyond the entry point, by slowing down and impeding further penetration, and by creating sufficient warning alerts until additional resources can be applied as backup


Monitoring

Automatic and Manual Monitoring Objectives

# Objective
1 Confirm security controls are working effectively in current state (Quality Assurance process)
2 Track effectivesness of security controls as environment changes (Testing, dashboards, monitoring)
3 Ensure changes do not take systems and applications out of compliance (Audits, monitoring)
4 Easily provide reports to be consumed buy business owners and auditors

Security Incident and Event Management (SIEM)

Analyse event data in real time. Mostly driven by logs but also use metrics. Detects targeted attacks and data breaches. Allows users to collect, analyse, store, investigate, report on log data for : Incident response Forensics Regulatory compliance.

SIEM considerations

Logs to be collected in one place where they are unable to be viewed or altered by non authorised users (who did not originate the data). Summary dashboard, Security rules, Tags to identify resources, Able to trace to an IP address, Investigation drill down capability, Threat intelligence ML to define normal and abnormal behaviour, Alerts, Integration to other systems.


Follow this link to download Open Source Security Controls

If commercial security, SIEM offerings with a focus towards serverless deployments are of interest, I am currently evaluating five products and will publish a comparison/review on this website soon. If you want to be advised when the review is available you can use this contact form.. The products are from Lumigo Puresec Blue Matador Thundra and Dashbird


Company Product Platform Free Trial
Dashbird Monitors serverless apps AWS Yes
Puresec Now owned by Palo Alto Networks. Serverless security platform with data import/export protection. AWS Azure Google Cloud IBM Cloud Yes
Lumigo Serverless monitoring system and troubleshooting platform AWS Yes
Blue Matador Automated alerts, monitoring dashboard, looks awesome AWS Microsoft Azure kubernetes Yes
Thundra.io Automated alerts, monitoring dashboard, looks awesome AWS Yes

Written by Andrew Plater on 11 th October 2019

  • Share: