It’s no surprise that with the growth of customer networks and the inter-connectivity of the “Internet of Things (IoT)” that our customers have been busy adding and building out their infrastructures to support this growth. In many cases our partners are being called upon to not only conduct the work effort associated with building out these environments, but they are being asked to expand their skills into my favorite area of interest – Security.
We all know that like a diamond there are many facets to “security”. I want to take just a couple minutes to highlight one particular area that customers have been asking our partners to help them address – the “noise pollution” that comes from all the devices, people, applications, etc. that make-up their ever increasing and complex business computing environment.
One of the “perks” of my job is that I am frequently involved in partner and customer security discussions, and lately the topic has been helping the customer figure out what events and incidents require attention vs all of the noise. In many of the discussions the problem statement is that even though their business computing environment has grown by X % they have not recognized the similar growth in the people OR tools to help manage that growth. Another discussion point has been - what the industry on a whole has seen is events and incidents that go un-recognized and un-remediated.
With that as the problem statement how can we help? Many of us will pop right up and say – “Well you need a SIEM.” And in most cases you would be right. The implementation of some type of Security Intelligence should help with identify what’s important which would hopefully lead to remediation. But as the Public Service Announcement (PSA) from the Peacock Network say – “The More You Know”. It’s much the same with Security Intelligence.
To help with the “More You Know” I will point out that in the Security Intelligence arena it isn’t a one size fits all – it is more of “Basic”, “Proficient” and “Optimized”. Now I didn’t just pull these out of thin air – I guess we could have used “Good”, “Better” and “Best” – or one of the others. I use the Basic, Proficient and Optimized labels which are part of a framework used by many in the industry to outline the progression of capabilities for a topic – in this case Security Intelligence.
As we look closer at the Security Intelligence domain let’s briefly dive into these areas. Under the area of Basic controls is the capability of Log Management. As an industry this capability is considered table stakes for Security Intelligence; however, it’s not a whole lot of intelligence. In many cases this capability has led to the noise pollution that many of our customers are experiencing. The collection and massaging of all these logs files and event coronation still doesn’t help with identifying what’s important. The capability is the next step in Security Intelligence – the Proficient area where all the logs and events for the environment are managed through the Security Incident and Event Management tool that adds the capabilities of “Embedded Intelligence.” This intelligence is implemented via automated data collection, asset discovery and profiling (where is the data), automated real-time analytics, massive date reduction (what’s important), activity baselining and anomaly detection (what’s “normal” for your environment) and out-of-the box rules and templates.
As you engage in security discussions with your customers, asking and answering key questions about the events and flows outlined above offer a more effective threat management solution. Security teams need to answer key questions to fully understand the nature of their potential threats: Who is attacking? What is being attacked? What is the business impact? Where to Investigate?