SIEM in the days of recession

In October 2007 Gartner published a paper titled “Clients Should Prepare a ‘Recession Budget’ for 2008″. It suggested that IT organizations should be prepared to respond if a recession forces budget constraints in 2008. Its still early in 2008 but the FED appears to agree and has acted strongly by dropping key interest rates fast and hard.

Will this crimp your ability to secure funding for security initiatives? Vendor FUD tactics have been a bellwether but fear factor funding is waning for various reasons.These include

* crying wolf
* the perceived small impact of breaches (as opposed to the dire predictions)
* the absence of a widespread, debilitating (9/11 style) malware attack
* the realization that most regulations (eg HIPAA) have weak enforcement

As an InfoSec professional, how should you react?

For one thing, understand what drives your business and align with it as opposed to retreating into techno-speak. Accept that the company you work for is not in the business of being compliant or secure. Learn to have a business conversation about Infosec with business people. These are people that care about terms such as ROI, profit, shareholdervalue, labor, assets, expenses and so on. Recognize that their vision of regulatory compliance is driven mainly by the bottom line. In a recession year, these are more important than ever before.

For another thing, expect a cut in IT costs (it is after all most often viewed as a “cost-center”). This means staff, budgets and projects may be lost.

So how does a SIEM vendor respond? In a business-like way of course. By pointing out that one major reason for deploying such solutions is to “do more with less”, to automate the mundane thereby increasing productivity, by retaining company critical knowledge in policy so that you are less vulnerable to a RIF, by avoiding downtime which hurts the bottom line.

And as Gabriel Garcia Marquez observed , maybe it is possible to have Love in the Time of Cholera.

– Ananth

The role of host-based security

In the beginning, there was the Internet.
And it was good (especially for businesses).
It allowed processes to become web enabled.
It enabled efficiencies in both customer facing and supplier facing chains.

Then came the security attacks.
(Toto, I’ve got a feeling we’re not in Kansas any more).
And they were bad (especially for businesses).

So we firewalled.
And we patched.
And we implemented AV and NIDS.

Are we done then?
Not really.

According to a leading analyst firm, an estimated 70% of security breaches are committed from inside a networks perimeter. This in turn is responsible for more than 95% of intrusions that result in significant financial losses. As a reaction, nearly every industry is now subject to compliance regulations that can only be fully addressed by applying host based security methods.

Security Information and Event Management systems (SIEM) can be of immense value here.

An effective SIEM solution centralizes event log information from various hosts and applies correlation rules to highlight (and ideally thwart) intrusions. In the instance of the “insider” threat, exception reports and review of privileged user activity is a critical activity.

If your IT Security efforts are totally focused on the perimeter and the internal network, you are likely to be missing a large and increasingly critical “brick in the wall”.

-Posted by Ananth

Are you worth your weight in gold?

Interesting article by Russell Olsen on Windows Change Management on a Budget

He says: “An effective Windows change management process can be the difference between life and death in any organization. Windows managers who understand that are worth their weight in gold…knowing what changed and when it changed makes a big difference especially when something goes wrong. If this is so clear, why do so many of us struggle to implement or maintain an adequate change control process?”

Olsen correctly diagnoses the problem as one of discipline and   commitment. Like exercising regularly, its hard….but there is overwhelming evidence of the benefits.

The EventTracker SIM Edition makes it a little easier by automatically taking system (file and registry) snapshots of Windows machines at periodic intervals for comparison either over time or against a golden baseline.

Given the gap between outbreak and vaccine for malware and attacks, as well as the potential for innocuous human error when dealing with complex machinery, the audit function makes it all worthwhile. The CSI 2007 survey shows the annual loss from such incidents to be $350,000.

Avoiding such losses (and regular exercise) will make you worth your weight in gold.

– Ananth

Threatscape 2008 Computer security survey results

Understanding where SIM ends and log management begins In my travels, I tend to run into two types of security practitioners. The first I’ll call the “sailor.” These folks are basically adrift in the lake in a boat with many holes. They’ve got a little cup and they work hard every day trying to make sure the water doesn’t overcome the little ship and sink their craft. The others I’ll call the “builders,” and these folks have gotten past the sailor phase, gotten their ship to port and are trying to build a life in their new surroundings. Thus, they are trying to lay the foundation for a strong home that can withstand whatever the elements have to offer.