Did you know there were more data security breaches involving credit cards in 2009 than the past four years combined? Moreover the effort companies are putting into solving this problem is generating massive amounts of data which isn't able to be effectively analyzed? To get an idea of how organizations can cope with the challenges of dealing with the security of confidential information and compliance I sat down with Gene Kim, CTO and Co-Founder and Matt Hixson Director of Product Operations at Tripwire a company which focuses on helping companies solve these problems.
As budgets are being cut Kim explained that companies need situational awareness regarding what can put them at risk. This coupled with continuous controls allows an organization to be less at the whim of auditors. The idea here is to allow automation to provide the guidance an organization needs to ensure 24x7 compliance.
The goal of many security standards such as the credit card industry's PCI is not only to be compliant but secure. As a result, Kim explained to me his customers use their products such as Tripwire Enterprise and Log Manager to enforce policies and monitor anomalies.
Gene Kim is no stranger to the space having first written this software in 1992 while as a student at Purdue University. As an experienced veteran, his experience is worth paying attention to. He says the cost of compliance should decrease over time. He quoted the following numbers as a guideline, if your initial costs in year one are $15M they should decrease to $7M and $3M in the following years.
Gene Kim explains to me the challenges involved in security and compliance and how his company Tripwire solves these problems
He explained that this sliding scale of lower costs is generally not the case and many executives are baffled at the increasing costs of compliance. In his opinion the challenge lies in the project-based approach to the problem as opposed to the process-based approach. He further explained that just because you purchase the tools you aren't necessarily fulfilling the intent of the solution until you integrate them within your organization.
Kim went on to describe how companies who throw money at the problem aren't really solving it. Instead, they need to do a configuration assessment which looks at databases, applications and firewalls and ensures they are in a known secure state. Tripwire's tools automate this process and can subsequently monitor the systems for changes and if a change is detected you can ensure it is authorized. Another important point is that many outages are caused by changes - 80% in fact according to Gene and this is exactly why it is important to know what changed so you can quickly undo the damage. This is the case whether the changes are made with the best intentions or by a hacker.
Quite often in an organization which doesn't have the controls in place, when they realize they have a problem, incident investigations are launched to determine what happened. Oftentimes a partner will alert a company to fraudulent activity they are seeing which emanates for a company's systems. At this point a typical organization has to alert the owners of the various boxes who have to then scour log files. Kim said emphatically, "That is why it takes over nine months to see if they have a security breach."
The bottom line on Tripwire is they combine log management with event management while simultaneously providing links to other products and systems within your organization. The latest version of their Enterprise software is 6.7 and it now allows log management integration.
As the world becomes more interconnected, every company is more of a target than ever before and in an era of reduced IT staffing, it makes sense to look to systems like Tripwire to automate your security and compliance activities to ensure you catch problems as soon as you can. Remember, the damage done by a breach can be potentially devastating and result in fines as well as massive amounts of negative publicity. Oftentimes, it makes sense to invest a little now to keep the genie in the bottle. Getting it back in is probably not something anyone wants to deal with.
For a delicious take on security, compliance and pizza, check out this TMCnet article discussing how Bertucci's restaurants located in New England is using Tripwire's products to comply with Mass 201 CMR 17 and PCI.