Evan Davison, security architect at Barling Bay LLC, spoke at the 2013 ISSA International Conference in Nashville, Tenn., in a session titled "Data mining for continuous monitoring and compliance reporting." Before his conference breakout session, Davison sat down with SearchCompliance Associate Editor Emily McLaughlin to discuss the benefits of big data tools and the ongoing challenges that accompany production of timely compliance reports.
In this video interview, Davison explains how gaining administrative access is all about who you know, and how leveraging existing big data tools can alleviate common challenges facing compliance professionals. Watch the interview and read the full transcript below to learn whether your organization is creating unnecessary compliance roadblocks.
In terms of compliance with government and industry regulations, why is it so difficult to assess, maintain and produce reports?
Evan Davison: The data changes constantly. The tools that are being used to gather them and the administrators that are within your organization will change with little to no notice. The challenge comes in developing a process to create stable, reliable and repeatable compliance reports. That becomes very difficult when the compliance experts, or the people in the organization responsible for reporting it, do not have administrative access to install tools. They may not have administrative access to servers, inventory systems or any of those other tools in the organizations.
Oftentimes, what I've found is that it's all about the personal relationships that people maintain and the time spent building relationships with administrators that are out in the field, or with systems administrators who are running those systems. It's that backside channel connection that gets generated. For new professionals that are entering a new place and trying to build those connections, or when the people or positions change, it means that the process has to start all over again.
How do big data tools simplify compliance reporting and help ensure that you're in compliance with regulations?
Davison: The best thing about big data tools is that most organizations have some type of big data initiative going on. The value that I saw as a compliance professional was that I didn't have to seek out, buy or test a new tool. I didn't have to look for systems administrators or other people to implement something for me. I didn't have to learn any new technology. I could go to that big data project and say, "I need some space. I need some analytics time." However, their big data initiative was set up in the organization and already had all of that data flowing in. In most organizations, they were already making efforts to have monitoring through these big data tools, through SIM [subscriber identity modules], network security monitoring or something like that. All we had to do was to say, "Can we get an account? We don't need administrative access; we don't need anything. Can we get an account?" Oftentimes, they were very reasonable and accommodating. Once you're there, you have this buffet of information at your perusal so you can go in and pick out those things that are important to you.
More from ISSA's conference
ISSA attendees talk security roadmaps on Twitter
Taking responsibility for cybersecurity
Cascading approach to building a security roadmap
Also, a lot of big data tools started to come out with apps, add-ons or snap-ins that allow you to automatically pull that type of information out of logs. For example, some of the biggest tools mainly just block compliance information-related to access control -- i.e., looking at logon failures, simultaneous logons over a period of time, or actions like that. While those are very small on the scale of what you have to accomplish as a compliance professional, it's a tool that automates something that before was a technical skill or requirement, and was a manual process to check. Now we at least can see that, yes, it is being logged. Yes, someone is monitoring it, and maybe there's an alert configured on it. It really just allows us, as security professionals, to have access to things that serve a purpose elsewhere in the organization but we can mutually benefit from.
Can you give an example of how these tools are being used for compliance today?
Davison: I think one my favorites is an example of when we were taking in VPN logs from a big-named vendor's VPN -- just some simple logs -- and we were evaluating that against policy. Are they checking logins and failures? Are they doing those things? Then we took it a little bit of a step further: The VPN logs calculated their remote login IP. We have this simple little tool inside that allowed us to use Google Maps to geolocate the address. We found that, in this example, it was summertime at the time and that they had individuals that, contrary to the policy, where taking the laptops out of the country and using VPN to check email or things like that, which obviously was a violation of company policy.
We weren't adding any new information. We weren't collecting anything that we didn't collect before, but it opened us up -- and not just from a security perspective where they can see failed login attempts coming from somewhere in Asia or from some foreign country. They were actually seeing that they were legitimate logon attempts that were coming from people violating organizational policy.
Let us know what you think of this story; email firstname.lastname@example.org.