July 09, 2012, 7:30 AM — There is an enormous amount of administrative data that is being collected in audits each day at large companies across the world. And administrators have the power to steal PCI and other profitable data and cover up their tracks. But, this is more difficult at companies that implement a strict separation of duties for administrators.
Generally, only large companies with significant financial risks implement separation of duties well. What can be done to help world-wide, mid-sized corporations prevent tampering of audit data from applications and their supporting infrastructure?
Many small and mid-sized firms cannot afford an appropriate separation of duties between administrators. These businesses haven't deployed extensive SIEM (Security Information and Event Management) technology. I've seen ArcSight, a SIEM product, deployed at a national retailer. They had an extensive amount of connectors that need to be made to properly collect all security-related data from various IT systems. The SIEM hierarchy is a security fault tree. It is complex and is hard to configure well. So some companies are deploying 'Big Data' techniques to analyze logging data.
It is becoming common place to log all administrative functions related to applications and on all data center infrastructure equipment that supports those applications. This includes successful and failed logins, changes to account privileges, attempts to perform authorizations, application administration and configuration changes. Imagine firewalls, load balancers, virtual machines, network bandwidth allocation, database servers, storage subsystems, and LDAP servers all saving log data. Unauthorized and untracked changes can cripple a datacenter leading to a loss of tens of thousands to millions of dollars; leading to theft of credit card numbers causing customer losses; and damaging the corporations reputation tying to future business loss.