The mortar between your defenses

The other day I read a bit by Andreas M. Antonopoulos on Networkworld about how to be an effective security buyer. Of course when it came to finding the article again when I wanted to write this….I couldn’t find it. +1 to the Interwebs though because Mike Rothman over at Securosis mentioned it in Wednesday's Incite 4 U. Andreas’ advice seems to be when you are buying security tools to not buy something designed to fulfill a singular function. Instead go for multi-purpose tools that can cover down on multiple areas. I think the idea somewhat boils down to knocking out two birds with one stone + it sucks to have to look at one dashboard for each tool you have. Enterprise resource scaling aside though I tend to agree with Mike’s take. What really stood out to me was an analogy Andreas used:

"The part that makes a wall strong is the mortar, not the bricks. Disconnected bricks fall down with a slight nudge. Buy "glue" software and security solutions that tie together various controls, monitoring systems, notification systems, etc. A well-integrated system with fewer controls is better than lots of disparate controls with no glue."

Unless I am way off base, what I think he had in mind is something like this where various multi-purpose tools somewhat dry fit to form an interlocking wall representing your overall defensive strategy.

Pardon how bad my graphics are. The whole mortar being the linking item between the bricks is what really stuck with me. However, instead of trying to buy tools with an eye for the tools fitting together, why not buy tools that will integrate into a log management solution or even SIEM (or even just the ability to export logs to syslog which these technologies should be able to suck in). I’d have to believe this is more of a neutral ground anyway from tool vendor perspective. It is through this medium that you base your dashboards and reporting engines and have what becomes an extensible solution to bringing on additional tools into your environment regardless of whether or not they serve a singular function or not. In my mind the model would be more like this:

However you mentally picture it, part of the discussion I guess is that you are actually picturing it! The unspoken aspect here is that (hopefully) you have a backdrop, over arching plan for what you are trying to accomplish and how you are going to integrate solutions. Otherwise your tools just sort of exist in a vacuum or are siloed off from each other. While providing value, they would provide so much more if leveraged together. It is in this light that I think your LM and/or SIEM should be viewed - not that they are just another brick in your defenseive wall.