Subscribe in a reader
2007 DOI: Day 1 - Get with the Program
Submitted by Mike Rothman on Wed, 2007-02-14 14:50.
As security professionals continue to struggle with the number of threats and contradictory goals (protect information, but assist business), they increasingly turn to structured security programs (ISO 27001, COBIT, Pragmatic CSO) to assist in getting things done and communicating progress. Security management tools (predominately SIEM) continue to leave customers wanting for value and assistance in automating programmatic operations.
I'll be the first to admit that this first Incite is pretty self-serving. Obviously having just published a "poor man's security program," the Pragmatic CSO - I'd certainly like this to be a self-fulfilling prophesy. But let's examine why a security program is in great demand in the markets out there.
First, there is to much to do and CSOs and other security professionals are having a hard time figuring out what to do on any given day. Second, even if they know what to do - helping the rest of the organization (especially the business folks) understand the value that security brings has been problematic. Finally, the auditors show up every so often and it's usually a miserable experience for everyone.
Basically, many many CSOs are looking for a better way. I believe taking a programmatic approach to security can provide the structure and perspective needed to be successful in today's environment.
To be clear, I don't much care if it's 27001 or COBIT or any kind of program. But doing security in a hodge-podge way, basically playing whack-a-mole to eliminate the issue de jour just isn't working. So it's time to try something new.
What about that security management stuff? That's the 2nd part of the Incite and remains pretty controversial. Again, to be very clear, I don't have an issue with security management. It's necessary and critical to being a successful and Pragmatic CSO. BUT, security management has to add value. If it's so expensive and ponderous, as to actually detract value - then there is something wrong. That's where we are at today. The biggest enterprises see value, but that's about it.
I continue to be haunted by my past as a networking analyst in the early 90's. I had a front row seat as network management evolved and eventually disappeared. It's pretty operational now and dominated by the vendors that provide the networking equipment. The biggest networks in the world use stand-alone management offerings, but most folks use whatever their networking provider offers.
We've seen this movie, and security will be largely the same. First, there is the bundling thing. If you are doing a big endpoint renewal, you can bet you'll get that security management thing thrown in. Just ask. Same goes for UTM and every other major category. And reading Syslog and getting feeds from other devices just isn't that novel anymore.
That's why many Cisco customers default to MARS, even if it doesn't work as good as other offerings (just ask Bejtlich on that one). It's easy to buy and that overcomes a lot of technology and implementation issues. You know what they say, you don't get fired by buying [name your favorite big ass vendor here].
We will see more activity and more clarity about what log management does relative to SIEM this year. And we'll also see tighter partnerships between network behavior analysis (NBA) vendors and SIEM. Why? You get to look ahead of you (with NBA) and behind you (with SEM), which is actually pretty compelling.
But overall in 2007, expect security management to continue to disappoint. That's all the more reason for you to get with the PROGRAM.
I'm seeing a lot of companies and people talking about bundling, and specifically in reference to Cisco. Bundling means that the vendor has separate price listings if you buy a certain quantity of product. It's basically a sales incentive made by your individual salesperson to get you to buy X dollars of product by a certain date (EoQ, EoY, etc). Also known as "buying in bulk".
Bundling can be bad for your company's security - and this is speaking to diversity (i.e. buying more than one vendor), as well as best-of-breed.
So, instead of using bundling as a way to reduce cost to your organization - consider alternatives.
Some people consider open-source DIY to be an alternative, but you're either in that camp - or not - already at this point. If you're not, you may want to figure out a way to make this work for your company - or re-examine how open-source can help drive costs down. Of course, this doesn't work for hardware... only software.
With specific regards to Cisco - nobody buys directly from them anymore except authorized distributors (Ingram Micro, Tech Data, Comstor). Cisco resellers get their products shipped from those three distributors. When you initially contact a reseller, they usually input your company's information into the distributor system in order to qualify you for a discount. The first vendor to do this will get the largest discount for your company.
If you have a pre-existing relationship with a vendor, make sure it was your first vendor to acquire your discount level. It is in your best interest to continue working with this vendor, regardless of any financial or personal problems you have with such vendor. You may also want to have your discount levels re-evaluated as your business grows. Talk to your reseller about this. This discount wildly varies, but for a Fortune 1000 it is usually something like 40% off Cisco price-list.
Cisco Partners (not every vendor/reseller of Cisco equipment is also a partner) also get Channel Incentive Programs. The vendor incentive program is in its 9th year, and focuses specifically on specialized products like security. Specific products get additional discounts (14-22%). To find out which products apply by SKU number, see http://cisco.com/go/vip
While bundling may seem like the best price saver, it actually turns out that you can save more by following the above strategies and working with your vendor/reseller on getting the right pricing for your organization without bundling. Usually they won't come out and tell you about what to do - unless you ask the right questions.
Then you can go wild with side-by-side (or layered) Juniper and Cisco routers/firewalls, and Foundry and Cisco both for your switch infrastructure (e.g. Cisco for clients and Foundry for servers).
If you are a "Cisco/Microsoft/IBM only" shop like many C-levels want you to believe is a viable business strategy... consider the monoculture you've created as a potential security nightmare.
I guess one last argument is the administrative and/or interoperability problems one faces by introducing diversity into the network. Which is why outsourcing services like managed firewall, managed security monitoring, managed network, etc exist. Make it somebody else's problem!