Tools for data discovery and event logging

I need to step up security measures to be in compliance with HIPAA and other regulations.  I need to be able to monitor and log activity on our network that may indicate a potential security breach.  I also need to be able to scan for electronic patient health information (ephi), which would be unencrypted file contents that contain such things as social security numbers, credit card information, date of birth, address, medical coding references, etc.
What can I use to do this?
LVL 3
maharlikaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Centrally have a correlation engine to alert upon anomalous activities which include
E.g. Potential symptoms  of date leakage, exfiltration, perpetrator intrusion and insider threat use case.
E.g. Sources of such symptoms comes mainly from syslog and event log comes from your sensors "planted" in
E.g. Client machine, server systems, web proxy, perimeter firewall, network ips/ids, host ids/ips, and even core router and switches .
E.g. Type of log include netflow to better contextualise with the various segment sources. They typically demaracates the network segment wrt to functional roles e.g. admin, finance, IT, security, DMZ.

The main focus are in scoping applicable entity "touching" personal health records or information (PHI) stores, PHI in transit and PHI in use. They are the target source in scope for HIPPA compliance.
E.g. Spin off eDiscovery is good start to scavenge on top of your current inventory tracking (most used wrtt to CMDB) as there cna be multiple project owners' system interfacing to the central PHI store which they also need to be included.
E.g. Target entry / exit point as source to have sensor to collect those log as well

Some tools for considerations
e.g. Try out this test sample http://www.identityfinder.com/kb/Getting-Started/110845
 i was also thinking besides being positive testing, the coverage gauge should have the test set having below "variety"
- formatted SSN (in the form NNN-NN-NNNN, where N is any number from 0-9)
- unformatted SSN (in the form of NNNNNNNNN, where N is any number from 0-9, simply removes '-')
 - invalid as SSN (in the form of faked SSN's and invalid sequences like 123-45-6789 or full sections containing all 0's)
 - proximity matches such as a leading or trailing value (SSN, SS#, etc.)
@ http://www.experts-exchange.com/Security/Misc/Q_28649151.html

Side track I se incident handling is key as well and asking savvy qns as part of the discovery of the overalll strategy
@ http://www.experts-exchange.com/Security/Digital_Forensics/A_15659-Ask-Cyber-Savvy-Question-s-There-are-many-ways-to-skin-a-cat.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
giltjrCommented:
You can use Splunk for logging collection and event correlation.  You can also configure it to look for specific events/log messages and then send alerts (SNMP traps or e-mails)
0
btanExec ConsultantCommented:
Splunk free text search and speed to scale out in search engine is indeed handy. besides technology, likely process should be in place to ensure data integrity and even at times to make it as evidence admissible. consider minimally -
-Perform a daily log review process,include key word search with meta-data to streamline the search space,
-Explore network forensic system to intercept raw packet to augment log monitoring,
-Account for all included Enterprise systems and access rights of account esp privileged user, and their associated audit trail are enabled (ensure format supported by backend)
-Perform regime for on-going audit on mandated procedure, esp in transfer of evidence and proper seizure,
-Govern and watch over for proper transfer of digital evidence during a seizure.
0
madunixCommented:
I do splunk for logs  and data correlation Splunk http://www.splunk.com/ ; you could also check
http://www.sawmill.net/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.