Looking at Log Management Pragmatically
As the first article in a 6-part series on the specifics of log management, I want to introduce the concept of the Pragmatic CSO methodology and go into how/why the idea of log management is important to achieving the goals of the Chief Security Officer. This piece will lay the foundation for the journey we will take together over the next 6 months.
First and foremost, security professionals are under siege from all sides. Their bosses don’t understand what they do and why it costs so much money. It’s pretty unlikely that auditors would consider the CSO a friend either, given the traditionally acrimonious relationship between the security and audit teams. We shouldn’t forget the bad guys, who keep using new and innovative attacks to compromise personal information and steal critical intellectual property.
The typical security professional I work with has trouble getting funding for key projects, justifying his/her existence within the organization, and ultimately being perceived as relevant to the operations of the business. All of this impacts their ability to be successful in protecting the information assets of the organization. Yes, it’s a pretty big problem.
In over 15 years working in the security space and looking at the problem from all sides, I’ve pinpointed a rather conceptually simple reason for this issue. In a nutshell, security people talk technology and their customers talk the language of business. This disconnect has become a chasm and really impacted the ability of security professionals to be successful. So in order to be relevant moving forward:
“Security professionals must learn to talk the language of business.”
This is what being a Pragmatic CSO is all about. I have built a 12-step program (yes, very similar to those other 12-step programs) to help security professionals overcome their addictions to throwing new products at every new attack vector. To help these folks build a value proposition and run their security operation as a business. Basically to learn how to be comfortable in the executive suite, since that’s where we belong.
But before we get into those nuances, let’s level set a bit and talk about the five reasons that we do security in the first place. Here goes:
- Maintain business system availability
- Protect intellectual property
- Limit corporate liability
- Safeguard the corporate brand
- Ensure compliance
That’s it. I’ve asked hundreds of people for other reasons why we would do security and everything comes back to one of these core needs. That was liberating, eh? Now we know why we are doing this. Next, let’s discuss the Pragmatic CSO process a bit.
In a short piece, I can’t really get into a lot of detail about how the process works, but let me outline it based on the sections.
- Section 1: Plan to be Pragmatic – This first section is focused on figuring out what is important, taking a baseline of your environment and then managing the expectations of the senior team – so they know what you are up to and why.
- Section 2: Build a Pragmatic Security Environment – Next up we build a business plan to guide the operation of the security environment, secure funding for the critical projects and actually go out and buy some stuff.
- Section 3: Run your Security Organization Pragmatically – Then we spend time keeping things running, taking an aggressive monitoring approach to figuring out when you have a problem, building a containment strategy, training your users and testing your defenses.
- Section 4: Communicate Your Value – Finally you need to toot your own horn a bit and build a reporting, communications and compliance capability to substantiate what you do on a daily basis
Each of these sections is meant to help you get deeper and deeper into the business operations of your organization and spend your time protecting the “right” stuff, as opposed to all the stuff. You can get more detail on the Pragmatic CSO process at http://www.pragmaticcso.com/poster.html.
I know what you are thinking. What does any of this have to do with log management? It turns out to be a lot. The key requirement of Step 1 – Assess the Value of Your Business Systems is to understand what is really important to your business. Since no one (that I know anyway) has a money tree in the back of their office, you need to make hard decisions about what to do and how to prioritize your activities. How do you do that without knowing what business systems would crater your organization if they went down or were compromised?
Right, you can’t. So once you understand what is important, you need to be able to track the progress on how those resources are protected. You certainly could do a lot of praying and maybe that would ensure the critical business systems are protected. But in my experience, this leap of faith is one that senior executives don’t “get.” So we need some hard numbers or at least an idea that the trend is moving in the right direction.
The log management function, which gathers activity information about the devices (networks, servers, applications, etc.) that run these business systems in a forensically sound and very scalable way, provides that kind of information. You can see what’s working and what isn’t. You can set thresholds to help you understand what is going on in your environment, and be able to fine tune your defenses to ensure the right systems are protected at the right times. Step 7 of the Pragmatic CSO process is called “Operate/Monitor Your Environment” and log management is a key aspect of being able to do that.
Next month I’ll delve more deeply into this topic, providing detail on how to leverage log management in your operational processes and keep the trains running on time.
Until then, Be Pragmatic.
You might have your access control process fixed, but you probably haven’t adequately trained your administrators on how to manage it. You might have your configuration and change control systems in place, but you probably haven’t sufficiently documented the process for using them. If you’ve adopted strict security policies, your users likely have found a way of avoiding or bypassing them altogether.
Make no mistake — auditors will find fault with your systems, your processes, and the people who operate them. They’re auditors. It’s their job.
The key to regulatory compliance is the ability to enforce and monitor security policies and processes at any given time, all of the time. And an SMB must plan and maintain an effective security strategy for its business infrastructure from the onset to serve as a solid foundation for regulatory compliance.
Prism Microsystems and Type80 extend the power of Log management to the Mainframe Environment
Partnership provides large companies with unparalleled security and operational visibility that extends from the mainframe to the application level