I don’t know what your thoughts on this are but I’m trying to work out an illustration on how the churn related to the hamster wheel of your run of the mill incident detection and response doesn’t really lead to a whole lot of increased security posture or reduced risk – at least not directly or by itself. Don’t get me wrong, that work needs to be done and isn’t a trivial component of your overall program. At the same time I think this is one of those things where activity doesn’t necessarily indicate/translate/equal accomplishment. Great – you cleaned X machines with Y malware. Next week it will be N machines with Z malware. Soooo….does that mean you are more or less secure than the month before?
I’m of the general opinion that an improved security posture/reduced risk/reduced exposure is a by-product of doing analysis on the information gathered from your incidents and using that to drive change in either various configuration settings or policies (or both). Not rocket science or an original thought really. Hopefully that makes some sense.
That line of thinking leads me down a couple different paths. If the end state of the analysis component is a more secure environment, what is the end state of the incident work? Is it really divergent from an improved state or is it that you refine the process so you respond better and faster as an end unto itself? I don’t want to sound blasphemous but are concepts like ‘improved security posture’, ‘reduced risk’, and ‘reduced exposure’ almost like a security trinity that are intermixed in a way that is hard to talk about one without talking about the others? I say that because those items are hard to pull out as an ends unto themselves.
At any rate, the last thought is how the hamster wheel churn and firefighting mentality intersects with the security event management related industry and what that industry, in whole or part, promises. Now take that and intersect it with the expectations of the CISO or whatever level of person(s) you want and what the security event management industry, again in whole or part, actually delivers. Yes, yes the number of variables involved with those intersections or continuums could choke a horse so to speak. At the end of it all I just don’t think you can draw a direct line from chasing alerts to a more effective security program. I think this is the backdrop to why there is so much dissatisfaction with the various security event management offerings. Somehow either though the sales pitch or security personnel crushed under the desire to make changes and/or burnout are grasping for a silver bullet.
This of course leads one, or at least me, to question what value your particular security event management tool or service brings to the table and the level of pain associated with bridging the gap of what you have and what you need. By themselves I don’t think they can deliver the hoped for security utopia. The key is how they are used or leveraged in your program and processes. Of course one of the variables is CAN the tool be leveraged?
Would be interested in any thoughts.
No comments:
Post a Comment