Day 8 of Incite: Security Management (Oxy)Moron

Stand-alone security information management (SIM) plateaus in 2006, as consolidation continues and the need for large-scale system integration makes acceptable “time to value” out of reach for all but the largest enterprises. Closed correlation systems increasingly take root as users swing towards homogeneity and ratchet back expectations on which devices really need to be integrated into the management system, while leveraging the reporting infrastructure for compliance purposes.

Here is a news flash from the master of the obvious: network and security management is hard. It’s hard to do if you are a user, and as a vendor it’s really hard to build a sustainable management company. How many waves of management “innovation” have we seen? How many silver bullets were going to finally put administrators in control of their security and networks? Ultimately these companies go away, either bought by one of the management consolidators (CA, IBM, Sun, HP, etc.) or just disappearing. Not a comforting thought for a user trying to determine if a new management widget is worth buying.

Management is a hard, complex problem and users do not want partial solutions. By definition a start-up can only offer a partial solution. They don’t have the resources to “boil the ocean” and must focus on the most significant pain point. Unfortunately, solving one problem is not good enough for most users. Thus, management defaulted to the big companies that bring to bear lots of resources and integration consultants to work on the problem.

History will repeat itself yet again this year, with another wave of security management plateauing and eventually going by the wayside. This time it’s Security Information Management (SIM). SIM exists because it became apparent that users were missing some attacks because they couldn’t process security event information and logs from multiple boxes in multiple places fast enough to detect and correlate a multi-pronged attack. A few start-ups took all that log data and worked some magic, automating the collection and improving the correlation of the data. This gave early adopters the perception of being able to identify attacks more effectively and take corrective action. Per usual, seemingly overnight about 10 companies rushed into the space.

Yet, as with most management technologies, the deployment proved much more difficult than the users were led to believe. It turned out that each implementation was different. Each user had different equipment, was interested in different information, and wanted reports in different formats. There was very little leverage for the vendors, and implementations became too difficult and expensive for the users. This wasn’t a market space; it was a systems integration project. Thus far, it’s safe to say that SIM has been a failure. The one company that has the most “momentum” (and it’s not that much) has built out over 100 “agents” to streamline the deployment. It won’t be enough for SIM to break out and become it’s own market.

A great analogy is the PKI market. Yet another market that gave me considerable personal road rash. The early vendors got some traction and grew nicely. Users made initial investments in the market, but ultimately the market plateaued (in about 2001) and has stagnated since. Why? The technology was too hard to use and required a significant integration project to make it work. The time to value for customers was too long. So that market went away.

So, what I’m NOT saying is that the function of security log analysis and correlation is not important. It is. I am saying that the current model is not working and needs to be changed.

What would I change? First of all, the expectations of the customers need to be kept in check. Ultimately, this is a vendor problem in promising the world, and delivering not so much, but I digress. End users really need to come to grips with what is important. It’s to make sure attacks are detected and stopped. No more, no less.

Does every device in the network need to be tracked? Not by a long shot. The first priority is to get a feel for what’s going on with the perimeter. That is where the great majority of attacks come from. Note that I say majority of attacks, not majority of “successful” attacks. Most unsophisticated hackers bang on the front door(s) of your network, so you need to be able to correlate attacks on every ingress point into your network. Then you’ll be able to discover whether you are being specifically targeted in a coordinated effort, or just randomly scanned.

So, if the first phase of the security management initiative is to correlate data from the external access points, that’s not too hard, right? Exactly, and the vendor of your perimeter defense most likely has some additional functionality that can provide that level of analysis. These are the "closed correlation systems" I refer to in the Incite. As long as you can pull data from your access devices, you're good to go in this first phase. This will only get easier over time as networks (and the associated security infrastructure) become more homogenous, eliminating the need for significant integration efforts.

Sure, there are lots of more sophisticated things you can be doing, but in my experience, pulling all the data together, adding triggers and fancy maps, and doing advanced correlation do not provide adequate return on investment (of either time or money). Unless you are a service provider or have a huge internal network, very sophisticated security management is usually not worth the effort.

Many end users have a hodge-podge of equipment for any number of reasons. The urge is always to invest in management to provide a consistent interface for inconsistent equipment. Resist this urge. Instead, take a long hard look at selecting a strategic vendor and moving towards a more homogenous environment. I wouldn’t be surprised if the cost of upgrading the equipment to something consistent and thus more manageable was less than investing in a myriad of third party tools to manage the existing mess. Management band-aids are not the solution, rationalizing your infrastructure is.

On the positive side, one place to invest this year is reporting and documentation. That is strictly to address the “C” word, compliance. You’re already gathering a good amount of log data and being able to massage the data and produce a report which shows the effectiveness of the controls in place helps to bolster compliance efforts.

That’s all for Day 8. We’re about 2/3rds of the way through the Incites. Stay with me. We’ll dive deeper into managed security services tomorrow.