Monday, April 23, 2012

Couple random thoughts strung together

Oyie – I look up again and I haven’t written anything in a couple months. Amazing how your environment will (or won’t) influence you. I have had a few things on my mind for a bit recently though and figured I would try to knock out brief blurbs on them now.
  • One thousand points of light….and no illumination
  • A visual of effort vs value/return
  • Integration is key

One thousand points of light –
I heard that phrase at the first ArcSight conference I went to back in 2009 though unfortunately I can’t remember who said it. The context was why using point, stand alone solutions in an Enterprise doesn’t work well. Things might be getting caught but w/o that data rolling up into some sort of central repository you lose out on so much. While often times that central repository is individual silos this thought is one of the main underpinnings of how I view the SIEM space. Your defenses will not stop 100% of attacks though in concert the logs they provide can (hopefully) be turned around to shed light back into what is going on in your environment.

Effort vs value
I had a visual flash in my mind while talking with a co-worker about the unfortunate scenario where someone had taken a job that could provide a high level of value and turned it into one focused on the effort of collect data in support of a tool. In some part that was due to the tool being used. That was probably the 3th or 4th time in the previous week or two where I had heard some derivation of “use tools to augment your people.” The visual is something like this.


As mentioned in the past my Power Point skillz are what they are; hopefully the intent can be grasped. Ideally the vertical tool bar is way to the left on the horizontal representation of the overall time someone has to work. This allows for maximum value to be gained from the person’s time. I’ve often thought back to the three main variables on this sliding scale for things ranging from specific tools to overall time spend to whether or not someone IS a tool and how much value they provide.

Integration
One of the challenges with any project is how you measure success. Too often that is simply - is it deployed? Layered on top of that in the InfoSec space is trying to develop a program. If you just buy a bunch of tools w/o trying to bake them together you can end up with a variation of the thousand points of light issue. Manually cobbling the information together is a pain at best and doesn’t happen at worst. I tend to lean more toward sustainable organic growth where you are able to integrate new tools/people into your existing processes and routine.

No comments:

Post a Comment