HP Integrity rx1620 Server 1.30 GHz HP-UX Developers Bundle AB430A#006 Prospecto

Why manage more event data? 

Some companies are already experiencing a need to store and manage greater volumes of event 

data. Other companies do not have or are not yet aware of this need. For those who believe they do 

not have a need to manage large volumes of event data, this section will either help confirm that 

conclusion, or change that perception. 
The following are the main drivers for increasing volumes of event data. 
Increased sophistication of external security threads 
As companies enhance their ability to prevent and detect external threats, those posing the threats 

also get more sophisticated. External threats are increasing in complexity and length of duration. The 
time for completion of a successful attack has extended from hours, to days, to weeks, and in some 

cases to months. The ability to detect such threats is directly limited by the time range represented by 

the event data available for analysis. To keep pace with the ever increasing time range of attacks, 

security managers must have access to greater volumes of event data encapsulating the greater 

periods of time required for an attack to unfold. 

Increase sophistication of internal security threats 
Internal security threats are often more serious and costly versions of external threats. The person 

orchestrating an internal attack has more information, some authorization at access points, and more 

awareness of the value of corporate assets, more knowledge of IT infrastructure and most importantly, 
more time. Historically, security management has been mostly focused on external threats―even 

though the greatest financial and legal risks come from inside! To detect internal threats, one has to 

analyze event data over a longer period, and that analysis must include both authorized and 

unauthorized access events. Access to event data is crucial for any company hoping to strengthen its 
ability to manage internal security threats. 

Compliance with government regulations 
To comply with government regulations, companies face legal mandates regarding the quantity and 

quality of event data that must be captured, stored, and made accessible. This relationship between 

compliance and event data results in increased needs for event data accessibility and storage.  
Some of those needs are: 

•  There must be no time gaps in event data. 
•  Event data for all related assets must be available. 
•  All original event data must be available, which means there should be no filtering, interpretation, 

or aggregation. 

•  A chain-of-custody for event data must be shown. 

Event data can be considered forensic evidence for some future criminal action. Any missing or 

filtered event data will be considered contaminated evidence. It would render the entire set of 
available event data both suspicious and inadmissible. Compliance legislation such as Sarbanes-

Oxley and Gramm-Leach-Bliley acts affect all corporations. Other compliance laws such as HIPAA, 

FFIEC, FISMA, NISPOM, DCID, and VISA CISP, affect specific vertical industries. The scope of 

compliance varies from business to business, but all companies are required to comply with some 
level of regulation. Many government compliance mandates are beginning to require enterprises to 

store and analyze greater volumes of event data over long periods of time. 

3