Protecting data with WORM drives

Many large and mid-sized firms need to protect audit and legal data. Greg Machler makes the case for why WORM drives can solve many problems

There is an enormous amount of administrative data that is being collected in audits each day at large companies across the world. And administrators have the power to steal PCI and other profitable data and cover up their tracks. But, this is more difficult at companies that implement a strict separation of duties for administrators.

Generally, only large companies with significant financial risks implement separation of duties well. What can be done to help world-wide, mid-sized corporations prevent tampering of audit data from applications and their supporting infrastructure?

Many small and mid-sized firms cannot afford an appropriate separation of duties between administrators. These businesses haven't deployed extensive SIEM (Security Information and Event Management) technology. I've seen ArcSight, a SIEM product, deployed at a national retailer. They had an extensive amount of connectors that need to be made to properly collect all security-related data from various IT systems. The SIEM hierarchy is a security fault tree. It is complex and is hard to configure well. So some companies are deploying 'Big Data' techniques to analyze logging data.

[Stopping the insider threat]

It is becoming common place to log all administrative functions related to applications and on all data center infrastructure equipment that supports those applications. This includes successful and failed logins, changes to account privileges, attempts to perform authorizations, application administration and configuration changes. Imagine firewalls, load balancers, virtual machines, network bandwidth allocation, database servers, storage subsystems, and LDAP servers all saving log data. Unauthorized and untracked changes can cripple a datacenter leading to a loss of tens of thousands to millions of dollars; leading to theft of credit card numbers causing customer losses; and damaging the corporations reputation tying to future business loss.

WORM (Write Once Read Many) technology exists on CDs today. If a person wants to permanently protect images or data they can write to a CD WORM. What about disk drives? The potential administrative problems SMB have cry out for WORM disk drives. Due to the lack of technology and process oversight it is much easier for administrators in these SMB to take advantage of retail PCI data or healthcare HIPAA data. WORM drives would keep log data protected so that some corrupt administrator cannot erase the evidence he/she creates in doing illegal activities.

Another market for WORM drives is that related to the e-discovery field. E-discoveries begin when a lawsuit occurs against a corporation. The data investigation firm collects multiple terabytes of data from company as evidence which is then sifted through to determine what data is relevant to the lawsuit. This is also a "Big Data" problem; sifting through email, pictures, and other documents to find the appropriate data is a chore. The use of WORM drives is obvious. Copy all of the data handed over to the data investigation firm onto WORM drives and one can be assured that nothing is changed after that point.

How would WORM drives be presented to various applications? Logging intelligent and e-discovery WORM aware applications would use WORM drives based in a SAN and/or NAS configurations from companies like EMC, Dell, and/or HP. Why use a WORM drive when some auditing applications already protect some of the audit data at rest? It is always better to enforce something in hardware (as long as it is inexpensive) than software because when the software is not running the audit data can be tampered with. No amount of administrative effort can change the contents on a WORM drive, except via physical destruction of the drive.

Protecting data with WORM drives makes sense. Small and medium-sized businesses cannot afford the technology and easily enforce a separation of duties that makes WORM drives unnecessary. Like encrypted drives, WORM drives enforce their strengths at the lowest hardware level, the drive. WORM drives serve the logging, e-discovery and other "Big Data" markets. Deploying WORM drives in EMC, Dell, HP or similar storage subsystems will require applications that are WORM-aware. Those applications know that the drives are write-once and they don't attempt another write on the same drive location. WORM drives permanently protect administrative data that is never to be altered again.

Gregory Machler is an information security architect and cloud security expert and a frequent contributor to CSOonline

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregory Machler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place