BayNewsletter_4

Bay Newsletter new1.pmd 11/9/2551, 21:011

2 l Bay Computing Newsletter l 4rd Issue

EDITOR’S NOTE & NEWS UPDATE

�� !��" �!#$"��%��

��&�� !�$"��'��!�&�!�(��&��) �$��"!�� Business Continuity Management ��*+,��(�*- BayNewsletter .��,��"��%+� BCM ��'��!��" ��/�� 0� ��!��!�1��" 1 ��3�/��*��/��/��"!�1��0 4�� '��&4��!#$"��(�� &"�) *+,��

Hello there. Nowadays many organizations are growinglyinterested in risk management to enable the businesscontinuity in case of an attack. This issue of Bays Newslettertalks about the Business Continuity Management (BCM)part 1; we hope that you can gain knowledge from it andwe also welcome any suggestions that you have for us.

�� , �� Nida Tangwongsiri, General Manager

Seminar News:Best Practices for Optimizing and

Protecting Your Web Application

- a Joint Seminar brought to you by Bay

Computing & Citrix Systems

�� Citrix '� !� � ��#&��&,� �� &��!�� !4&��(��"��!*�� !�$"�� 8Optimize and Protect Your WebApplication by Citrix9 ��" 26 �� 2551 0��'��Arnoma %��4��& !�� 9:30 �. E+"�F� ��4��G&� ��'I�*��/��!��"*�� Citrix ��!�J '��%+��!#&"��&�G&F�#��!�K�'�##�&!�4��

��(-��&��"��"�'�*�*��/�!#&"�!�&��"!�� 0-2962-2223 �$��!�� [email protected]�� !"��!

You are cordially invited to participate in the seminar on8Optimize and Protect Your Web Application by Citrix9 onSeptember 26th, 2008. The seminar will be taken place atArnoma Hotel, Ratchadamri Road at 9:30 a.m. This willbring you opportunity to learn 8What hackers are thinkingand hacking demo9 from Citrix Team as well.

Please RSVP at Tel: 0-2962-2223 oremail to [email protected] Don$t miss the chance! �

Bay Computing Conducted RSA

enVision Technical Training

!�$"�!�$��Z��"3�� !� ��!4&�!��&�*��0E�/4��&�� Log��'��#��!�� 0� ��(�!�$,��'��'��(��%�� '� ��%$�!�1�0��"��#�!��'�%�� -�� POC *��(-F�#*��!� ��"3�� !#$"��#��!��/��!*��'��%��!��/��!�1��

Last July, Bay Computing Technical Team conducted technical training forpartners on RSA enVision appliances. The sessions were intensive and coveredall required information throughout the day. On this event, it was a good opportunityto get together and share experiences on doing the POC on enVision platform forcompliance and security information management. At the end of the day, ourpartners have gained more profound understandings on our log managementsolution and maximize their knowledge and skills to support their customers. �

Bay Computing and Technology

partners joined TOT IT Security Day.

!� � ��#&��&,� ��(�� TOT IT Security Day E+"��.��0�� *+,�!�1��(��_!#$"�!3 '#��/��'��(��'��(��F� ��"�� E+"��*��,��, �$� ��!�K�*��/��#&�!�� &̀ ��j �+��Technology Partners ��!�1� RSA enVision, Citrix, IPScan !3 '#��*��/�!��" �� !�K� '��&��*��/� Log !#$"��#.�.�.�� 3&�!��" ��#&�!��'��3�/��"��,��,��

Bay Computing has joined TOT IT Security Day which is held annually. With themain theme of Log Management, Bay Computing with its supportive technologypartners, ie. RSA enVision, IPScan, and Citrix, distributed valuable information tothe participants regarding log management to comply with the Computer CrimeAct and other regulations. �

CITRIX Appointed Bay Computing

to CITRIX Value-Added Reseller

!�$"��, !� � ��#&��&,� ��'��,��!�1� CITRIX Valued - Added Reseller(VAR) � ��!�1�� !#$"��!��0E�/4��'��(��&�G&F�#!�K�'�##�&!�4�� !#$"�!#&"��!�K�*+,�� 5 !�� #��,��!�K�'�##�&!�4��F� �(��) '� ��%4�� (��

Recently, Citrix has appointed Bay Computing to be an official Valued-AddedReseller for its Citrix NetScaler solution to accelerate customer}s web applicationat least 5 times, protects from threats at application layer, and reduce the costof management and operation. �


Bay Computing Newsletter l 4rd Issue l 3

COVER STORY

�93% �� !�"��# $��&'��$��(��") 5 �*+ ��,�$�� )��

�~��(��!��0�0� �� Data Protection '� Business ContinuityE+"�!��" ��*��/� '��G(��&��!�&�� !�$"�� *+,��(�*- ��G(��&�� (�4�� 3��"�� '�� 0� ��%'��!�1�3��"�� '�� ,

� 3�&�3��"�� (Productivity Loss) E+"��*��#��,��$��3�&��"��3��, ��(�'�� '�� !��"��*��*��

� 4$"�!�� '�F�#��`-��"!�� ,�� /��, ��/��, ��!�&� '�� (Reputation Loss)

� ��/�!�� !�$"��4�!4 , �� "!�� , ��%!�K�!�&�� $�� !�&�!�� (Revenue Loss)

F� �(�� 0� !.#��!�(��-� 11 �� .J. 2001'�F� G��4��&��"��(�'��!#&"�*+,� ��%+�'��0��*��&��J/� �*��/��"!��J/� ��*+,��(�*- !�1��!�� BusinessContinuity '� High Availability ��#&��-� '�%$�!�1��!�1��) *�� CIO ��(��*��!�K��$��

Business Continuity Technology� �� , Enterprise Solution Manager, ��

�By Avirut Liangsiri, Enterprise Solution Manager, Bay Computing Co., Ltd.Part I

�93% of all companies that experience a major loss of dataare out of business within five years+ Gartner Says.

Data protection and business continuity are technologies that protectdata and secure business operations to continue without interruptions.They have become necessary tools for organizations because ifthe business stops, it may cause a severe impact, which can affectseveral dimensions; details are listed as follows:

� Productivity loss is determined by numbers of employees affectedbusiness process, lower productivity, and duration.

� Reputation loss can cause several concerns such as customers,partners, financial market and the society.

� Revenue loss resulted from paying compensation, lost futureincome, loss of financial evidences, and unable to collect debts.

It cannot be denied that since 9/11, terrorists attacked WTC Buildings,the catastrophe that has changed global}s security concerns andalso the increasing severe natural disasters nowadays, thesemajor reasons have risen the IT people to put the need of BusinessContinuity and High Availability to the agenda. It is something thatCIO has to consider whether they are SMEs or large enterprises.



COVER STORY

��0� IEEE ��!�(*��!�&�!�(*��*�� (Downtime) ��E��'��" 40% ��$� Planned Downtime ��" 30% ��3&�#��*��(` ��" 15% I��'��4��(��$�3&�#��" 10% �F�#'�� !4�� ,�� 5% '��(��-�!��$�*�� - 1% E+"��!K�� Downtime ��"!�&�*+,��!�&��&"��"��!��" ��'��,�� & E��'��,Planned Downtime '��3&�#��*��(` �!�� ,� ��4�!��0�0� �'�� (Process) ��"!�� !��" ��~��'�3��G(��&�� Availability

��,!�1��"��~��(��!�� &�� *+,� �$�!�$"��,�'��& �� best practice �� IT ��4� ��!�1� CobiT �$� ITIL��%+��) ��,� ISO 20000 series '� ISO 27000series E+"��'�� $�*��"�� K��,��`��F� '��!�� #��!#$"��%��!�&�G(��&�� !�$"�� '�� Availability !��K��"'�� "!��!� �� &�� up time !4�� up time 99.9% !�1�� 0� five nine�$� 99.999% �$� � !��"�� 1 �_ ��(�� (��!#� � 0-5 �� !��,� '��$"�) ��" 1

�%��&�� !�� (Gartner) ��'��*�� Availability ��!�1� 5 ��0� !�� $� ��,�'�� AL0 %+� AL4 0� '�� %+��3�*��/� ��,

AL0 : Unprotected Server �$� !E&��!��$��"�� redundantcomponent ��) ��&��&�� 0��'�� '�*��/�

A research on system downtime conductedby IEEE indicated that software contributed40 percent, with planned downtime 30 percentand human error accounting for 15 percentrespectively. In addition, the Defects andhardware errors cause 10 percent whilenatural phenomenons contribute to 5 percentof the overall problems. Of 1 percent of thedowntime problem is devices and networks.From these statistics, we can see that allof the causes, such as software, planneddowntime and human error, can be preventedby employing appropriate processes andtechnologies.

AvailabilityAvailability is the frequently-used term that has gained its popularityfrom IT best practices, such as CobiT or ITIL, as well as IT standards,such as ISO 20000 and ISO 27000 series. These standards orregulations emphasize on the importance of information securitymanagement and business continuity plan. There are many acceptabledata availability for each organization. For example, some organizationsmay implement 99.9% up-time or 99.999% known as five nines, whichindicates that in a course of one year the IT systems can only stop just0-5 minutes and has the values as Table 1.

Gartner Research Institute classifies five levels of data availability(AL0 � AL4), from the least available to the most available, details ofwhich are as follows:

AL0: Unprotected Server is a server that has no redundant componentsand has no protections whatsoever for operating system, programs,and data.

40% Software

30% Planned Downtime

15% Human error

10% Defects and hardware errors

5% Natural phenomenons

1% Devices and Network

(source : IEEE)

�� 1 :��

(Downtime Cause)

�� 1 : ��

(Availability Levels)



COVER STORY

AL1 : Conventional with RAID �� RAID�� log-based �� journal file system �� !��"�!��!

AL2 : Basic High-Availability Cluster �� !��#$!�%&�'�()'�'��&�!��&�'(�& � �� %��#��##*��+#,&��&��'. ��%&�'�!��' ��#. � �� /��,�!��/��,' ��/' SAN ��#�� User Session Interruption �'��&��0!#+��,��/��% SessionSynchronization

AL3 : Advance High-Availability Cluster �� automatic failover�,)& user session �� workload �+#,& backup components �� 'AL2 �� /��&��/� � ��+#,&!��& ��/' SAN

AL4 : Continuous Availability �� 100% ��&��0��''�� 5&��,'�/�&. �� redundancy (�)%��') ��/�� transaction loss �� /��"�� /�"�*��

��High Availability � �� 8��!��&� �� High Availability (HA)��9��!&�+:'�"'8��!�!,&�*+�� 2 �(�&� ��;'�/��%!,��&0��*�,'�'��/� � !,� ��9��&��!��+:' 2 � !,��,�. �� 0��*�,'��'�'�+#,&��*��'��*� �(�&�� Back Up �� Replication-Failover �(�&�,)& 2 0��*�,''�)�'�'��+�+<�&��*��*=��#��#��# ��99*��*��'�!�!,&�!��/0��*�,'��/$�� '�'�'��#�#��&�9�' ��&� ��9#,&��!��#/�&�/��'��&(Availability Centric) �(�&+� ��!��# Clustering�� Continuous Availability

'��'�)#,&� ��;'��"'8��!��/� ��/� 0��*�,'#,&0�,��+#,&��&��/�&�,' 0!#0��*�,' Backup�� Replication � �/$&�+<��+#,&�,��*��& 0��*�,'

AL1: Conventional with RAID is a server or system that use RAID andlog-based or journal file system to monitor and modify errors.

AL2: Basic High-Availability Cluster is a system that stops normaloperations so it moves users to work the substituted machine. Severalsystems connect through the same disk, such as SAN. The downsideof this method is the user session interruption, because the systemdoes not normally implement the session synchronization.

AL3: Advance High-Availability Cluster is a system that has automaticfailover and move both user session and workload to the backupcomponents. Like AL2, several systems connect through the samedisk, such as SAN.

AL4: Continuous Availability is a system that achieves 100% componentand function performance; redundancy system and has no transactionloss as well as effects to users.

Current High Availabilitytechnology marketHigh Availability (HA) market can be depictedas the Figure 2. From the diagram, itcan be determined that the solutions aredivided into 2 main parts: back-up andreplication-failover solution. Both solutionsaim to protect data loss as well as preventdamage and can recover the lost data.Another type of solution is availability centricand tries to make the system available at alltime. This solution type consists of clusteringand continuous availability.

This diagram also indicates that each solutionfocuses on different targets: backup andreplication solution which aims to protectdata; while clustering solution focuses on

�� 2 :

�!�"#��"#��

�� High Availability

(High Availability

technology market

diagram)



COVER STORY

Clustering �+:'��/$&�+<��'�'�+#,&��%&�'�#/�&�/��'��&��&��,' �� 0��*�,'Continuous Availability � �/$&�+<��'�'�+#,&business process ��'�&�+<��#��&G$��!��#/�&��*�J

�'��+� ��'��'�!��&0��*�,' �%�+:'��&��!��#��,!+� �8��&��*� (DataClassification) �%��+� ��'��#& (RiskAnalysis) �� "�� !�()' (Business

Impact) ��!+5=�� "�!��! ��*=��#��&��*�',)'.'��*��#/*�'� ��'��K�� #,&��,)&��#/*�'�*+��&�� !�M �� '��+� ��"�!��# 0!#��#��.�/� Information Asset

��%�'!�%!,��%�,= (Prioritise) �� &��*��,!��'�!�� (&��%��+� ��'�/��#��&�,��%��&��*� 2 �/��RTO �� RPO

� RPO (Restore Point Objective) �� %��'/& (Point) �' Timeline(�%��'/&�'��'(�&.) ��&��#��'��,��+��*��*��'��,��!� ��/' ��*��%�%��&�� (Back Up) � �%�$�. 1 �,��0�& �+:'��' �(�&��#��/��!+5=��()' ��*��/��$!��9��'��*��'�� 1 �,��0�&��

� RTO (Restore Time Objective) �� $!��!��%��,��*��'��*� �� ,��*��+��#'�+�&��/�� /��%�,=�� &��9��&�'�!�� &�� Downtime ��% ��/' ��*��,)&��! ��&9*��*��'��,�� &�'�/��!� 8�#�' 15 '�� +:'��'

�'V�,��/��+ �� *!9(&��#� ��#!��&��/� 0��*�,'�/��/�&�,'�#/�&�� ,��,'��! �� !��# ��9(&�$!��'��,!��'��0��*�,'�� /��+

application availability, and the continuousavailability solution intends to preserve thebusiness processes so it can fulfill thebusiness needs.

To evaluate or select a proper solution,organizations must classify their data first.Then they should conduct the risk analysisas well as determining the business impact incase of when there is a problem or erroroccurring to the information asset, whichincludes information written on paper andexecuted in the systems.

Once the data is prioritized and has their scopedefined, organizations can now determine thevalue of RTO and RPO. The details are asfollows:

� RPO (Restore Point Objective) or a pointof time in which the system has to roll backto recover the data. For example, the data is

backed up every 1 hour. By this method, once the system is down,data can be restored within the last hour.

� RTO (Restore Time Objective) or the longest time that data can berecovered. It is suitable for important data that has not been updatedfrequently, it must be available at all time and need low occurrenceof downtime. For example, all data must be restored in 15 minutes.

In the next issue, we will discuss the details of these solutions, theirdifferences, and applications that can be best applied on solutionsas well as benefits, downsidesand decision factors.



SOLUTION UPDATE

Infrastructure Requirements

To build an infrastructure for log (event) management thatwill lay the foundation for comprehensive security information andevent management, organizations should consider the followingcategories of requirements.

� General requirements� Log generation and capture� Log retention and storage� Log analysis� Log security and protection

��!��"# $�

�&��&�%'(&9(&+5��,#�/��+'�) �'��&0��&��&��)'X�'��&� ��,!�� Log �,'�+:'��X�'��&��,!��+��!8,#��&��*�� ,!��$��J��&!��'��+��!8,#

� ��&��,��+� ��,�� & Log� ��;��*� Log �� $+��J�,!��;�� Log� ��+�+<�&�� ,�M��+��!8,#��& Log

% ��&'��'��(��)(��*� LogLog Management Best Practice“Infrastructure Requirements”

�� 2

Part II



SOLUTION UPDATE

I. ��-�1. ��'�/'��*�%��0��

0!#�,��+�� ,!�� Log��',)' ��&��9��&�,��;��*��'�!��=/ �� #'��*��&�$+��J�,!��;��!��!��;�0!#��*��/�',)'� ��&��/��*=��#��#��# '��',)' #,&��9��#�!*��*� �� +� ��"�� ,!�%��#&�'�!��#/�&��!��;��/'�,' 0��&��&��)'X�'��9�%&�'�!�+� ��G�8��*&',)' � �/�#��#&�/��/�# �'��&��&��&0��&��&��)'X�'��/��+� ��G�8��*&�()'

��JY��+� ��'+� ��G�8��&� �� !��/

� �'�!��*� Log �/��'(�&��'�� (�&+��,�� ,!�+:'�%'�'��$��J��!�()'�'�'(�&��'��(events per second: EPS) 0!#��J��,)&�/�&��!��$��J�'8�� +�� /�&��*&�$!

� �%'�'��&"�* �� &�� #&�'�'��/� �,��0�&�� /� �,' 0!#��J��,)&�'�/�&��"�*��&�'+�� /�&��*&�$!

� �'�!��*��&'%�� /��'(�&�,'�� '(�&�,��0�& 0!#��J��,)&�'�!��*�+�� =/��$!

� �%'�'��#&�'�'��/� �,��0�&�� /� �,'0!#��J��,)&�'�/�&��#&�'+�� '�/�&��$!

� +��J��'!��!G�,)&�'�/�&��+�� /�&��$!

� ��&�'�$+��J�,!��;��*��,)&�'�/�&��+�� '�/�&��&�'��$!

� � ��,�M�+��!8,#��&��*� Log ��/' 9��&��,��*� Log ��/&"/�'� ��/�&� �� 2 � �� +� ��"��()'��'!��!G�'� ��/�#��()'

2. ��

� ��

�'+5��$�,' �&�� '/�#&�'��#��/&��'�!��=/ �� #�#/*��8*��8��/�&. �� +��#'�+�&�#/*��!�� ,!��/�'��&�� ,��*� Log ��/�&. � ��9��'�&�/��&��/''�)�!�� ,!�� ;��*� Log�� ,!��;�!��#� ��,!��;��*�"/�'��/�#(networked storage system) ��,)&�#/* J �%',�&�'',)'. "�*��G�[��&�'��9!(&�� *��'%�+�� ,!�%��#&�'�!��#/�&��!��;� � ��#�!�#/$''�)�� ,��&��$�+� �8� �,)&#,&��9+�,��+��#'�!��#/�&��!��;��+��#'�+�&� ��+��#'�+�&�%'�'"�*��&�'

+� 0#�'��,��+� ��&��&� �� # �� &��,�'��/��*��9*��,!��;�',)'� ��/�*=��#��#��# �� ,!��;��*��,)&�#/* J �%',�&�'',)'. �,!��;��!��#/�&��!��;�� "�*��&�'��9��&��!��/� '��',)' ��&� �� #

I. General Requirements

1. Provides high and consistent

performance

Generally, a platform for log managementmust be able to sustain a high volume of datacollection, a high rate of writing to the storageresources without data loss or corruption, ahigh response rate for retrieving the data,and a high rate of data processing for analysisand reporting. Implementing a high performanceinfrastructure avoids the prohibitive costs ofhaving to later re-architect for performance.

Performance requirements are determinedbased on parameters such as:

� The typical and peak volume of log datarequired to be collected per second (i.e.usually measured in events per second)

� The typical and peak number of usersrequiring analysis and report generation perhour and per day

� The typical and peak volume of data to beprocessed for analysis per hour and per day

� The typical and peak volume of reports tobe generated per hour and per day.

� The typical and peak usage of networkbandwidth

� The typical and peak usage of datastorage resources

� The security needs for the log data. Forexample, if log data needs to be encryptedwhen transmitted between systems, thiscould require more processing by thesystems as well as increased usage of networkbandwidth.

2. Enables a distributed

deployment

Many enterprises and government agenciestoday are large, geographically-dispersedand dynamic organizations. These types oforganizations are best served by a centrallymanaged yet distributed infrastructure that canmeet the needs of a geographically-dispersedand constantly evolving organization. With adistributed infrastructure, raw data logs arecollected and stored locally on networkedstorage systems and are then rapidly retrievedand aggregated for analysis and reporting byauthorized users. The flexibility of a distributedsolution means that the infrastructure can bemapped to any kind of organizational structure.It also means that organizations can quicklyadapt to changes as systems or groups ofusers are added or moved.

Another important benefit of a distributeddeployment is that it helps to ensure that no



SOLUTION UPDATE

#,&�/�#��'�&��,==,��&�^��#�� /��'#��#��*��+#,&�/�&+� ��K��'%�++� ��"� "�*��&�'��9��9(&��*��!��V�� /�'��&�'�)�� !��

3. ��!"��#

#��"��

� ��,!�� Log ��&��9��/��,�� #/*�� +:'�/�'�'(�&��&� �� 9�,!��!�&/�#�'�8�� !��&� ��+_��,��&�'��+:'�#/* �&�� #�� !,�� !��&�' �,��#/�&��/' ��0'0�#�SIEM ��9��/��,�� &��#/*9��%�+:'��&�� ,!��;��*��/� ��,!��;�'�)��/��/&"�� ,�+� ��G�8��&� ��!�� %��!%�'�'&�'�'�&��&� !$!�&

4. ��$%&��&'�(��)*��

%"��

�&�� 9�� $��J��#��'��&�'�J ��$��J'�)9*��,!��;��/*� ��,!��;��+!��# �*!&/�#. ��

+� ��"�� ',)'� ��9��& ��'��$��J��!�()'�!��'�J ',)' �� 9�,'�(��$��J�+��. �,' ��"�*��9'%��$��J��,'�(��!�',)'��*�'��,�X�'�'��/��

5. ��#��&

$��(�!"�

� ��,!�� Log ��&��9��&�,��&�'�'8�� +�� ,)'�*&�$!�!� �&�� &�"'��&�,��0��&��*�Log ��*��$��J�'��&��/�&. ��()' � ��0��&��&��)'X�'��&��9��&�,��0��&�'�!��*�Log ��*��$��J�,'�'��&��/&��*��()' ��"/�'�+ ��%�'!�� &��&!��'� ��+��!8,#�/�&. �� /&"��;��*� Log��()' '��'�) � ��&�&�� &��0��()'�+��%!,�� &��/��,�� ()'��/'�,' � �� &��9�,!��,��*� Log ��()'0!#��/�/&"�� ,�+� ��G�8��

6. ��+�$��%��#��,

��'�$'�'��+:'��&��%��!�!��+5��,#��#+� �� +� �� /��/&"�� /�� #/*'��# �,)&�'�/�&��!�,)&� ��'9(&��&�'�'��/�� '��"�*!*��9��!�,)& �,��! �� ,!�� Log 0!#�� ,�M �� #�#��'��#��$! �� '��!*�� #&��/��'� ��,!�� Log ��/��&��K,#"�*�%'�=�V�� & ��/' "�*!*�� X�'��*�� "�*!*�� /�#

�'��&��'��,!��*� Log',)' �� &��)'��'��,!��;��*& !,&',)'��+:'��!��'�$'��+:'��& �&�� &��0��*�,'��#&��;� Log ��/��!+� 0#�'�� +� 0#�'�� ,!��;��!��#/�&��;��

��0'0�#� SIEM �� ,!��X�'��*��&�,��,'G (RDBS) ��'�0'�� !�� !��&��*� (data explosion) ��/' �'��;��*��'�! 1 ��0��',)' �� &��)'��

data is lost or corrupted as localized collectionand storage of the data is faster and morereliable. It also helps in complying with lawsthat prevent data from being physically movedto another country for processing. While thedata is stored locally, specific records can beselectively accessed by authorized usersbased on content and context.

3. Easily integrates with existing

infrastructure

An infrastructure for log management musteasily integrate with existing systems tobecome part of the enterprise`s overall ITinfrastructure and be manageable withinthe context of existing operations. Theorganization should be able to leverageexisting systems, for example the SIEMtechnology should easily integrate withexisting storage system. If new storagesystems will be required, the deploymentshould not negatively impact performance

of other systems or create major disruptionsto operations.

4. Ensures parallel analysis and

storage

An organization should be able to act on theanalysis of correlated events while thoseevents are being written to storage. In otherwords, the platform should be able to supportreal-time alerts and at the same time bereliably retaining all of the log data as it iscollected, so that the data will be availablelater for audits or forensic analysis.

5. Offers scalability to meet not

only current needs but also

future needs

A platform for log management must be ableto handle average and peak loads. Organizationshould plan for surges in the volume of logor event data due to increased activity. Theinfrastructure also needs to be able to handle

increased overall volumes of log or eventdata due to the addition of more sources ofdata. Over time, regulations or securityrequirements may call for more logs to becollected. As well, the organization`s ITsystems will most certainly grow and moredevices will be added. The system should beable to handle increased streams of log datawithout impacting application performance.

6. Provides a low total cost of

ownership (TCO)

A low total cost of ownership (TCO) is realizedthrough a number of factors. First, it requiresminimizing the impact on IT system not onlyduring deployment but also over time. Thetime, skill, and effort required by the IT staffto deploy, maintain, upgrade and managethe infrastructure should be minimized; aswell as the number of full-time equivalent(FTE) staff required to run the systems.The infrastructure should not require



SOLUTION UPDATE

9(& 12-15 ��0�� 0!#�%'�'��',)'��'��&��&�� *��/�'��!�� !,&',)' ��0'0�#� SIEM ��/�� RDBS �(&��&��*��&�,!��;�'��#��/�'��',)' 9��&��!��0'0�#� SIEM��0'0�#��,!��*��&+� ��G�8��;� ��/��&��#�&�'��)��)'��,!��;��

0��&��&�� ,!��;��*��/&�+:'�,)'#,&�/��!��+� 0#�'��)'��,!��;��!��#/�&��;�� *��/9*��#��/�#� 9*��,!��;��'�'/�#�,!��;��'�$'��%��/� ��'�� +��;��'�'/�#�,!��;��,� �(&�/�#�!��'�$'�/� MB0!#��&�'/�#��;��*�� ,!��%�+:'��&��'/�#�,!��;��,� ��#�/�#!��'��

�� ;'��#�&�+��%!,� �'��&��*��/�',)'� 9*��,!��;��'�'/�#�,!��;��%�&��(�&��,!��'��# !,&',)' �'/�#�,!��;��,�� +� ��%�,�&��/�'�� #'�!��;��()' �(�&�%��+� ��G�8��0!#��&� ��!��()'

7. ��+��(#!&�01�#��

��$�� Log ��$��)��8��

�'��&0�� &��&��*� Log ��&�/�'�+:'��,�X�'�'��&�^��# ��&�%��%�'!��&�^��#��&+� �� *� Log��'%�+��$!+� �&��/�'�)��&�+:'��*��/��+��#'�+�&�!. �,)&��)'

specialized staff such as database or networkadministrators.

Since a platform for log management has thepotential to use massive amounts of storageresources, to achieve a low TCO, look for asolution that not only avoids generatingundue amounts of log data, but also optimizesthe use of storage resource.

SIEM technology based on traditional relationaldatabase systems (RDBS) can generateextraneous data. In fact, RDBS have the potentialto create a data explosion (DE), for example,requiring 12K to 15K of data storage for every1K of raw log data. This is due to the constructionof tables and other overhead. Therefore SIEMtechnology not based on a relational databasewill generate less data to store. Also, if SIEMtechnology uses efficient compression techniques,you can avoid unnecessary purchases ofadditional storage capacity.

An infrastructure that uses tiered storage alsohelps to optimize the use of the storageresources. With tiered storage, log data thatis infrequently accessed does not take upcapacity on primary storage but instead isstorage on lower-cost tiers. This reduces theoverall cost per MB of storage and puts offthe need to acquire additional primarystorage system. Administrative costs are alsoreduced as data archived to lower tierstypically requires less management. Freeingup resources on primary storage systemsenables read and write requests to beprocessed much more quickly, whichimproves overall performance.

7. Supports the retention and

retrieval of “evidence-grade” log

data

At some point, an organization may needto produce log record to be used as legalevidence or to meet regulatory requests

��',�&�'��&��*��,�X�' �&�� &��9��#��*��,�X�'�'�,)'��&��#�'��,�X�' �'��*�'��,�X�'��+:'��;��'��'�) �&�� &��9��!&��!��/� ��*��,�X�'',)'. ��/��+��#'�+�&�� !&��&�'� ��/�#��&�&��!� �+:'��' 0��&��&'�)�� 9��,�� ;��*��,�X�'0!#��/��+��#'�+�&�'�)��!,)&�!��,)&��)' ��!(&��*��/�'�)�()'��+:'��,�X�'��&�^��#��*�'��,�X�'�/��+�!�

�'V�,��'�� *!9(& ��& Log �� ;��,�M� Log �(�&�+:'+5��,#�� 2 �� 3 �'��&��)'X�'��&� ��,!�� Log

for information. To be used as evidence,the logs should be in the original, unalteredform.

When called upon for evidence, organizationsmust be able to produce log data as part ofa discovery process in a reasonable fashion.As well, to provide a digital chain of custodyfor forensic analysis, you must be able todemonstrate that data has not been alteredand that it can, for example, documentnetwork usage in an indisputable manner.The infrastructure should capture and storelogs in their original format, allowing retrieval ofevidence-grade log data for legal, regulatoryor forensics purposes.

In the next issue, we will talk about LogGeneration and Log Retention that thesecond and third categories for build aninfrastructure for log (event) managementsystem.



SOLUTION UPDATE

��'��-�� ISO 27001:2005 �� 2� �� , Senior Network and Security Engineer, ��

�By Phakkhanat Phothongborwonphak, Senior Network and Security Engineer, Bay Computing Co., Ltd.

��,��,'��,)&' ��,� �/�'��'��,�!��/�'"�*�/�'��'��!��& ISO 27001:2005 ��X�'��#��,�

� ��,�'�&+��!8,#��&��'��K ��'��!��%��*�,��,� ISO 27001:2005 9(&��+:'�� +� 0#�'��&��+_��,��X�' ISO 27001:2005 �'��''�) �� !*�,'�/� ��0��,�MJ �#/�&��& �� "�� 9*�0��9��/&�+:'!��'�/�&. �#/�&�� (&��!*�,'�/� ISO 27001:2005 � �/�#��!��#/�&��' ��,�

Information Security Treats of 2008��*��/$�"�*!%�'�'��,!�% ISO 27001:2005 �� /$�"�*��!� CertificateCISSP �!��,!��/$��*+��&��0��'+~ 2551(Information Security Threats of 2008) ��!,&'�)

Welcome back to the second part of ISO27001:2005. Firstly,let me thank all of you who are interested in our scoop on

ISO27001:2005 - an information security management standard.From the last edition, we have learned the introduction andbenefits of the standard and this issue, we are going to learn aboutsecurity threats, their impact, and how ISO27001:2005 can helpprotect us.

Information Security Treats of 2008ISO27001:2005 implementer and volunteer who have CISSPCertificate have listed the top information security threats of 2008,which includes



SOLUTION UPDATE

� Imposition of legal and regulatory obligations

��&��&�^��#�� /��&��'�)��'� Cyber criminal ��/��=��'0��'��';�� Malware, Trojans ��0�� Virus,Spyware, Trojan �� '. ��$��&��0�#��*��/�'�,�� Phishers ��/$��&"�*��&��;�� &��0�#��*�� Login �� /' ��0�#��*�� Login �� E-Banking� Spammers ��/$��&"�*��/&�� /��'��'��#��'�� 0!#��K,#��&��/�&0��/�/�#�'��/&��,)&��/$�� ,)&�� Negligent staff ��/$��&�',�&�'�� #��/+_��,��+_��,��&�&��M,�� Storms, Tornados, Floods - Acts of God

�*+��0��/$&��,&�� &�&��M,��/��9��+��!�� Hackers ��/$��&�$��#�#�� &�&��M,� ��&��%��#��*�� /$&��,&"�+� 0#�'��&�#/�&��

� Unethical employees who misuse/misconfigure

system security functions ��/$��&�',�&�'��#��J �(�&��&�'� ��*�0!#��/�%'(&9(&��,�M��+��!8,#��&�&��M,�� Unauthorized access, Modification, Disclosure

of information assets ��/��G��9(& ��*� �� +�!0+&��*��&�&��0!#��/�!��,��'$=�� Nations attacking critical information

infrastructures to cause disruption ��0��'� !,��*�� )'X�'��/��9��&�'�!��+�� Technical advances that can render

encryption algorithms obsolete ��/$��&"�*��*��9��&!��'��'��,)'�*&�'��9�/�'��*��,��!�

Information Security Impact

�%��,�"�� #��#��&�� !� �,� �� 9*��0��,��*�� '��K��&�&�� (Information SecurityImpact) ��/&�+:'!��'�/�&. �!�!,&'�)

� Disruption to organizational routines and

processes "�� /��!%�'�'G$��&�&��M,�� Direct financial losses through information

theft and fraud "�� &!��'��#�!��&��M,�9*��0�#��*��9*�V��0�&� Decrease in shareholder value "�� /��*��/��$'��&�&��M,�� Loss of privacy "�� /��+:'�/�'�,�� Reputation damage causing brand

devaluation "�� /��#&��'/��9��&�&��M,�� Loss of confidence in IT "�� /��,�'��&� ��'��K��&�&��M,�� Expenditure on information security asset

and data damaged, stolen, corrupted or lost

in incidents "�� !��'&�+� ��J�'��+5=��&��*��$��J�/�&. ��/'��*��#��# ��*��*=��#� ��/�&��!��$��J� Loss of competitive advantage "�� /��/&�,'��&G$��&�&��M,�� Reduced profitability "�� /�"�+� ��&��M,�

� Imposition of legal and regulatory obligations

- legal and financial fraud� Cyber criminal - someone who commits acrime on the Internet� Malware, Trojans - attacks from virus,spyware, Trojan and other malicious softwarethat control computers and steal personal data� Phishers - website developer group whouse a trick to get log-in account fromlegitimate users, such as stealing log-inaccount from e-banking system

� Spammers - self-serving marketers whoharass and sell stuff by sending e-mailsboth intentionally and randomly� Negligent staff - users who neglect tocomply with company policies� Storms, Tornados, Floods - Acts of God -attacks that may disrupt, damage anddestroy company services� Hackers - a group of people who try toattack to destroy information assets or gainsome financial benefits� Unethical employees who misuse/misconfigure

system security functions - employees whoare unethical and misuse/misconfiguresystem security functions as well as ignoringsecurity policies� Unauthorized access, Modification, Disclosure

of information assets - No authorization toaccess systems, modify data and discloseinformation assets� Nation attacking critical information

infrastructures to cause disruption - attacking

critical information of the Nation that maycause disruption to the infrastructure� Technical advances that can render

encryption algorithms obsolete - advancedtechnical subjects that can make encryptionalgorithms obsolete

Information Security Impact

Information security impacts are consequencesof security incidents and can be classifiedas follows:

� Disruption to organizational routines andprocesses� Direct financial losses through informationtheft and fraud� Decrease in shareholder value� Loss of privacy� Reputation damage causing branddevaluation� Loss of confidence in IT� Expenditure on information security asset



SOLUTION UPDATE

� Impaired growth due to inflexible infrastructure/

system/application environments �� Infrastructure,System, Application �� Injury or loss of life if safety-critical systems fail

�� !� "��#$%�� #�&��'��()#%��

�*��(��!'"��"�� (�+-��'.��#��'��()#%��!� ��/��0��'.��#��'��()#%��!��#�"�� ' ��1��!�#� ISO 27001:2005 ��/�� %��#��#��'��()#%�� 6�#��#�� 8��% ��'.��#��'��()#%��!��(��%�� (��%��1��!�#��)�%0�#��/�� ISO 27001:2005 ��/�� %��#��#��'��()#%�� 6�#-� '��(��%��0��-��(�"�(� ��-��#-��(��#�ISO 27001:2005 ��#� 8�� -��#-��(��#� ISO 27001:2005 ��/�� %��#��#��'��()#%�� 6

��8�#��9�-�� ;��9��#�"��1��%��(��#��"�#-�

ISO 27001:2005��$� ��'(�� 4'��'(��%��< (#��-

� Foreword �1�1� Introduction ��1� Scope �� /�� Normative References ��/�� ISO 27001:2005 0�� Terms and Defini t ions ��"��1�1�#(�� Information Security Management System

�#-��#(�1 ISMS� Management Review of the ISMS ��1�� ISMS� ISMS Improvement ��'�#�'�*��1�� ISMS �%��1 �� Annex A (Normative) - Control Objectives

and Controls �#*'��#��*� "��0��*�� Annex B (Informative) - OECD Principles

and This International Standard �=&>� OECD�#��/�� ISO 27001:2005� Annex C (Informative) - Correspondence

between ISO 9001:2000, ISO 14001:2004

and This International Standard ��(��#��/�� ISO 9001:200, ISO 14001:2004 �#��/�� ISO 27001:2005� Bibliography ��B��*��

and data damaged, stolen, corrupted or lostin incidents� Loss of competitive advantage� Reduced profitability� Impaired growth due to inflexible infrastructure/system/application environments� Injury or loss of life if safety-critical systems fail

At this stage, the security attacks and possibleimpacts have been raised, they are derivedfrom absence of information security orinformation security management standard.Further section, we will explore the informationsecurity management system standards orISO27001:2005 and letKs see how it canhelp us protect the information assets. Wehave begun with ISO27001:2005 standardcomponents earlier and provided some termsand definitions exercised in the standard. Formore and completed details of ISO27001:2005, please order through its website orauthorized distributors.

Information SecurityManagement SystemstandardISO27001:2005consists of the following component :

� Foreword� Introduction� Scope� Normative References� Terms and Definitions� Information Security Management System� Management Review of the ISMS� ISMS Improvement� Annex A (Normative) - Control Objectivesand Controls� Annex B (Informative) - OECD Principlesand This International Standard� Annex C (Informative) - Correspondencebetween ISO 9001:2000, ISO 14001:2004and This International Standard� Bibliography

Terms and DefinitionsTo understand ISO27001:2005 correctly,let me explain the terms and definitions thatare frequently used in the standard.

� Asset

In the context of ISO 27001 and ISO 27002,an asset is any tangible or intangible thingthat has value to an organization.

� Availability

It is significant to have information resourcein place. By saying that it means thatthe availability of information generatesbenefits to manage the assets. An assetshould be available and accessible atanytime when needed by an authorizedentity. On the standard practice of ISO 27001,asset term includes information, systems,facilities, networks and computers.



SOLUTION UPDATE

�)�)�� $��%0�� 6+�&��/�� ISO 27001:2005�(��%�� 0�8��"�� $!(8+��1�1�#(��#��$��%< �� (�"�

� Asset

0��1�X��%�1��#� ISO 27001 "�� ISO 27002�1�� Asset ��%�� #$%��#��(��#��(� ��!��&#�

� Availability

��$��0��0��!� 'Y��*B��#�$� 6&��1��0��'��%��#��#$%� ��#$%��$��0��8��8!� ��8+�"��0��*��X�0��(��*� �� 0��1�X��%�1��#� ISO 27001 ��#$%��*�8+� ��!�� 1��%��(�� % "�� $�� #$%��< ��$��0�� !��X�0��

� Confidentiality

��#�&��#��!� 'Y��*B��#�$� 6&��0��#��!� $��'.��#�"��*��

��#��!� ��%�� 10��"�0��!��8"�(�0�� ;�� 'Z(�'��'%#��*��X�[ ��#�&��#� ��8+�� 'Y��#�"��(1 ��

� Control

#��*� 'Y�"��1��#��!��*��!�� !(!"��(�� "��!(!"�(��>��%��0��0��*�� %� "�� 'Y�#�'.��#�"��#��#�� %�� (�+-�#��*� ��8+��X�'\��#� ��%��% ��X�(1 ��"�� %� "��%��% ��&#�

� Corrective Actions

'Y��#-��']^�� *��B�� (�+-� "��1��"��']̂ ��"��'�#�'�*�0��(��+-�

� Document

��!��%0��(1 ��X*�� 8 'Y� ��< ��*��(��0��0��(1 ��X*�� 1��#� ISMS �+-��%!�#��

9#�9�� (�� "��#�&B��(1 ��X*��"��

� Information Processing Facility

��%�� Information Processing Facility�� *�< �� 0��*�< ��$�-�/�� 8��1��%��(��0��1�� 1��%��(�� 'Y��(��#-��(1 ��8�� 'Y��(��#-��#��(�"��#��(�

� Information Security

��*��*��%�� %��#��'.��#�"��*��!� "�� 'Y��*��%�� %��#��'.��#�"��*��#�&��#� ��8!��8�� $��0��0�� 8��!�

�� 'Y� $�%��1�1�#(�� 0�_�#�� 1�� 0��%��1��<��0��0� ISO 27001:2005 �� #��0�� 3 �%��(��#�

� Confidentiality

When taken security concern into account,confidentiality is a key to apply on managingsensitive information. To protect and preservethe confidentiality, it means that we need toensure that it does not disclose to unauthorizedentities. In this context, entities combine bothprivacy and process.

� Controlling factor

A controller destines managing strategies andplan. In this scenario it can be an administrator,

a management, a technical advisor ormight even be a legal advisor who used tomanage risk. Controllers are safeguards orcountermeasures. Controlling index includesseveral concerns such as practices, policies,procedures, programs, techniques, technologies,guidelines, and organizational structures.

� Corrective Actions

Corrective actions are steps taken to addressexisting nonconformities and make improvements.

� Document

The document may not simply refer to onlywritten document as we are usually familiar.As such document can be any form or use ofany type of medium. The extent of your ISMSdocumentation will depend on the scope ofyour ISMS, the complexity of your securityrequirements, the size of your organization,and the type of activities in which the organiza-tion does.

� Information Processing Facility

An information processing facility is definedas system, service, or infrastructure, or physicallocation that provides fundamental support.A facility can be either an activity or a place,it can be either tangible or intangible.

� Information Security

Information security contains related informationsuch as protecting and preserving information.They will protect and preserve the confidentiality,integrity, authenticity, availability, and reliabilityof information.

Last but not least, as essential informationand definition have been provided on aboveparagraphs, I hope you gain useful informationof SO27001:2005 standard. The final part ofthe details on ISO27001:2005 can be foundin our next issue. See you next time!





SOLUTION UPDATE


Documents

BayNewsletter_4