Security and Compliance Synergies with DLP, SIEM, and IAM

Data Loss Prevention (DLP) is a technology that keeps an inventory of data on organizational devices, it tracks when that data moves and applies rule sets to prevent data from moving to unauthorized locations such as a thumb drive, cloud server, or an email recipient outside the company. DLP can significantly help organizations understand and control the data that is used, stored, and transmitted and it is seeing increasing use in by internal compliance groups as they try to meet strict regulatory requirements.

Another technology, Security Information and Event Management (SIEM), collects and analyzes data in real-time from multiple sources including server logs, network devices, firewalls and intrusion detection systems. It then correlates that information to identify relevant patterns and alert on high priority events or event sequences. SIEM systems retain the data separately from the collection source so it is protected from tampering, deletion, or corruption. They also summarize the data in dashboards for easy reporting and analysis.

The third technology, Identity Access Management (IAM), allows an organization to manage credentials across the enterprise, including over a diverse set of equipment and devices. IAM manages information about users and what they are authorized to access and the actions they are authorized to perform.

The combination of SIEM, DLP, and IAM can improve the security and compliance of a corporation. Taken together SIEM, DLP, and IAM can work so that data flow within an organization is transparent, therefore, affording more control to the business and less ability to misuse that information.

What are SIEM, DLP, and IAM

As stated earlier, DLP is a conscious effort to prevent the loss of data due to undesirable individuals, groups, or circumstances. DLP systems figure out which pieces of information are more important than others, therefore, creating a prioritized list. DLP is a comprehensive set of methodologies and technologies that can look at more information across departments, better than localized isolated searches. SIEM is technology that can take and interpret information coming in from network security devices and server logs allowing greater visibility into the use, transmission, and storage of data. SIEM allows a company to consolidate security information from many different areas so that the organization can better understand and prioritize how to protect its data and IAM allows the logs of activity from heterogeneous devices to be tied to an identity of an individual for better auditing and intelligence.

Protecting the company’s data is a primary responsibility for information security. With increased complexity and interoperability of systems, this task becomes much more challenging, especially on a localized basis. With the help of DLP, the job of protecting information becomes much clearer. Using SIEM in conjunction with DLP and IAM can further ease the task of the information security department in protecting organizational data, preventing breaches and in meeting regulatory requirements by restricting data from being exfiltrated and ensuring that authorized use is monitored and audited.

The correlation between real threats in real time and how and where the most sensitive pieces of information are stored and dealt with falls squarely within the realm of SIEM, DLP, and IAM. Furthermore, allowing a combination of SIEM, DLP, and IAM, a company can see its security in one program, not several, thus making the process more efficient. Efficiency is an essential part of making a good business great. This sentiment can be translated into the world of protecting documents. SIEM can be tuned to focus on where the data is found, thus helping the DLP team protect the information at the source, in transit, and at its destination. In addition, SIEM can refine the way that DLP identifies sensitive information, alerts DLP to new resources, and new threats to organizational information.

Combining these three methods of protection, SIEM, DLP, and IAM, can give the organization more insight on where additional security controls should be placed, and it allows for a faster incident response. This combination of insight and coordination allows for a more efficient strategy against potential threats. DLP can prevent malicious or accidental users from abusing the system by only allowing authorized access to certain accounts, as well as, informing the company when these documents have been retrieved. Simultaneously, SIEM is working to sharpen controls by monitoring the retrieval of the information, thus making the retrieval alerts as streamlined, efficient, and quick as possible. These two devices provide what information security offices need, visibility and control.

Internal Threats

Companies sometimes have information but cannot act on it because it is buried in a server log or a database. For example, in 2008 Verizon Business had breach information on 82% of cases but they were unable to use this information. SIEM, DLP, and IAM could have enabled Verizon to understand better and prevent these breaches.

The reality of the world is employees often change positions. Without proper employee termination procedures and security controls, terminated employees could transfer customer documents or steal intellectual property and other sensitive information. The use of SIEM, DLP, and IAM provides real-time information in data access and can flag inappropriate or out of the norm activity.

External Threats

Take a company that deals with the regular transfer of credit card information and is Payment Card Industry (PCI) Data Security Standard (PCI DSS) compliant. PCI-DSS compliance can help protect the organization and mitigate a variety of attacks, but DLP and SIEM can give the organization knowledge on where attacks might be focused. Fingerprinting and other prerequisite external threats can herald the onset of a larger attack, and SIEM, DLP, and IAM would highlight these requirements so that the organization could respond and protect itself and its data.

SIEM, DLP, and IAM in a distributed mobile world

SIEM, DLP, and IAM are particularly valuable to organizations that are increasingly mobile. More and more workers access corporate data from mobile devices, the cloud, or machines connected to a VPN and BYOD is prevalent in many organizations. It is important to tie this activity back to a unique identity and to track patterns across devices and organizational boundaries. Protecting information was already difficult when it was limited to one network and a few select locations. However, that time is well in the past. New facets of current employment widen the gap that information security needs to cover. With the help of DLP, threats can be prioritized according to the importance, and with SIEM the data transfer and storage can be transparent, easing the burden on the information technology and security department in protecting a larger set of assets.

The use of SIEM, DLP, and IAM can significantly enhance the capabilities of information security departments. SIEM allows a company to make the access, transfer, and reception of data within the company more apparent and can further improve DLP initiatives in protecting and controlling data within the organization. The advantage of using SIEM, DLP, and IAM within an individual company streamlines the process of protecting vital information and makes the company more efficient.

This article is sponsored by JURINNOV, a TCDI company specializing in cybersecurity and computer forensic consulting services.

Share Button

16 thoughts on “Security and Compliance Synergies with DLP, SIEM, and IAM

    • You will find that many of the solutions out there are hybrid solutions that take from many different concepts. A solution could be labeled SIEM and provide some DLP elements too. You may also see a IDS (Intrusion Detection System)/IPS (Intrusion Prevention System) with some features too. The two technologies are closely aligned and I think you will get the best value when you implement a solution that combines the control of DLP and the awareness of SIEM.

      View Comment
    • Hugh,

      These solutions can be quite expensive if implemented entirely in-house. You might consider a managed security solution. Feel free to contact us and we can help you plan a solution that is the right size for your business. There are also some open source tools that we are familiar with. You could consider deploying them in your organization and then have an outside firm like JurInnov manage the solution for you. It all depends on your data security needs.

      View Comment
    • Batanarge,

      Companies that want to better control sensitive data would benefit from DLP and companies that want to better understand what is going on in their information systems would want SIEM. There are a variety of solutions around that can be implemented to help meet these goals.

      View Comment
  1. There is of course another side to this: Without a SIEM (or at least a good log solution) its nearly impossible to handle specific network security queries from Management. So even a SIEM that isn’t doing much can save time and help an overworked security professional.

    View Comment

Leave a Reply