Based on early media reports, the Cyber Security executive order would seem to portend voluntary compliance on the part of U.S. based companies to implement security standards developed in concert with the federal government. Setting aside the irony of an executive order to voluntarily comply with standards that are yet to be developed, how should private and public sector organizations approach cyber security given today’s exploding threatscape and limited information technology budgets? How best to prepare for more bad guys, more threats, more imposed standards with less people, time and money?
Back to basics. First let’s identify the broader challenges: of course you’re watching the perimeter with every flavor of firewall technology and multiple layers of IDS, IPS, AV and other security tools. But don’t get too comfortable: every organization that has suffered a damaging breach had all those things too. Since every IT asset is a potential target, every IT asset must be monitored. Easy to describe, hard to implement. Why?
Challenge number one: massive volumes of log data. Every organization running a network with more than 100 nodes is already generating millions of audit and event logs. Those logs are generated by users, administrators, security systems, servers, network devices and other paraphernalia. They generate the raw data that tracks everything going on from innocent to evil, without prejudice.
Challenge number two: unstructured data. Despite talk and movement toward audit log standards, log data remains widely variable with no common format across platforms, systems and applications, and no universal glossary to define tokens and values. Even if every major IT player from Microsoft to Oracle (and HP and Cisco), along with several thousand other IT organizations were to adopt uniform, universal log standards today, we would still have another decade or two of the dreaded “legacy data” with which to contend.
Challenge number three: cryptic or non-human readable logs. Unstructured data is difficult enough, but further adding to the complexity is that most of the log data content and structure are defined by developers for developers or administrators. Don’t assume that security officers and analysts, senior management, help desk personnel or even tenured system administrators can quickly and accurately glance at a log and immediately understanding its relevance or more importantly what to do about it.
Solution? Use what you already have more wisely. Implement a log monitoring solution that will ingest all of the data you already generate (and largely ignore until after you discover there’s a real problem), process it in real-time using built-in intelligence, and present the analysis immediately in the form of alerts, dashboards, reports and search capabilities. Take a poorly designed and voluminous asset (audit logs) and turn it into actionable intelligence. It isn’t as difficult as it sounds, though it require rigorous discipline and a serious time commitment.
Cyber criminals employ the digital equivalent of what our military refers to as an “asymmetrical tactic.” Consider a hostile emerging super power in Asia that directly or indirectly funds a million cyber warriors at the U.S. equivalent of $10 a day; cheap labor in a global economy. No organization, not even the federal government, the world’s largest bank or a 10 location retailer, has unlimited people, time and money to defend against millions of bad guys attacking on a much lower (asymmetrical) operational budget.