Are you using the tools you have?

I was going to write a quick blog entry comparing ArcSight as a SIEM to Symantec’s MSSP services which my current company is using. While there are pros and cons there is a bigger thought that keeps bubbling to the surface. For as much as our industry whines talks about the need for more innovation from vendors – no one is looking at the tools they have!

Granted that statement is generic and isn’t true across the board. I keep coming back to the number of tickets I opened with ArcSight relative to bugs or walls I would run into, let alone feature requests, that as a smaller company SURELY someone else in from a larger deployment had seen – right? Nope. I spend a few weeks with Symantec’s MSS portal and come up with something like 2 dozen feature requests, a half dozen report requests, and a list of questions that we probably have spend a cumulative 5 or 6 hours discussing in which I hear things that indicate they don’t have a lot of customers who really dig in and try to interact with the data. Now they could well be blowing smoke up my 4th point of contact or maybe I am walking away from those conversations with the wrong impression but whiskey tango foxtrot folks.

If all you have in your environment or access to logs from is AV or NIDS/NIPS then yes there is a level of ‘life sucks.’ Do SOMETHING with that data though because I bet dollars to donuts your AV or IPS teams aren’t looking at it; their focus is keeping the lights blinking. Generating some sort of metrics will hopefully get the management level questions ball rolling. Why is AV leaving infections on this block of systems alone?; etc etc. This gets into a whole other discussion.

The main point of this is start looking at the logs you DO have rather than try to get some new and shiny widget with some sort of wistful or pouting 'I can't do real security unless I had x tool to address y issue so why bother' attitude. You probably do have that issue…but going from just AV to bringing in something like FireEye isn’t going to magically solve your problems or make you ‘more secure’. Don’t get me wrong – I LOVE me some FireEye and I guess you can define ‘more secure’ any number of ways. The thing is if you aren’t reviewing something like your AV logs at even a macro level you sure as hell aren’t going to have the soft processes and personnel in place to deal with the data you are going to get from FireEye.

At the end of the day there is a maturation process that needs to occur that ultimately starts with using what you have on hand.