Perimeter
7/31/2012
11:40 AM
Wendy Nather
Wendy Nather
Commentary
50%
50%

The Most Expensive Part Of The Monitoring System

That would be the carbon-based life forms

Any security monitoring system comes with a certain amount of good old-fashioned alerting: that is, identification of deviations from an expected state, and bringing them to the attention of a response unit. Picking up a deviation is easy; interpreting it in the context of a whole running system, on various layers, and with business activity is something else entirely.

The more intelligent analytics today can work with clever algorithms and heuristics to define more complex deviations based on historical activity -- for example, a "learning" monitoring system can record network or user activity and alert on events that exceed thresholds from that baseline, such as being able to tell the difference between human-speed clicking through Web pages and automated probes.

But there’s just no substitute for an admin with intimate knowledge of the system who can look at something and immediately say, "That doesn’t look right." Or who can say, "Oh yeah, we meant to do that, don’t worry about it."

Once, we got a database activity monitoring product set up, and happily started watching the transactions it captured. But I saw a username that wasn’t like any other that we’d ever created -- it was the name of a well-known fictional character, and it was accessing some very sensitive records. I went tearing down the hall in a panic to the DBA lounge, asking them if they’d ever heard of this user who looked like an intruder. It turned out to be a legacy database account with admin rights that they couldn’t get rid of. The database admins had that historical knowledge and day-to-day context that I didn’t have.

A DBA, a developer, a network admin, and a security person can all look at the same events and interpret them in their own contexts. They can also get different information out of those same entries. They’ll know who normally adds firewall permissions in response to personal visits from the CIO and for what purposes, such as one-day access to a test server to demo an application for a hotel conference room full of VIPs (and, of course, nobody remembered that they needed the access until after the danishes had been passed out). This is the sort of thing that you just can’t program, no matter how many brainiacs you have working on your SIEM.

The end result is that your monitoring simply can’t work without a sufficient supply of carbon-based life forms.

Tuning, day-to-day monitoring, and response all have to be done by these very expensive components -- and remember that good, security-minded technical talent is hard to come by. This is what trips up some organizations: They think that putting in an automated log management and intrusion detection system will replace people, and it won’t. It can make the staff’s life easier, sure, but it can’t do all the work. In fact, in complex environments it can’t even do half the work.

If you think about it, no one person in your organization can know simultaneously what’s going on in the accounting system, on the legal team, in lines of business, in procurement, on the network, in development and testing, and on the Exchange server (although I once worked for a brilliant COO who came damn close to being able to do it). If a person can’t know all the context to interpret events, then neither can a SIEM.

A SIEM installation requires a heavy investment up front to get it started, but it also requires an ongoing investment in humans to keep it running. This is what can put security monitoring and intrusion detection beyond the reach of under-funded enterprises. Prevention products tend to be less expensive than detection products in terms of the number of knowledgeable people needed to make them work effectively. A prevention product may plausibly be marketed as "set and forget," but you can never, ever "set and forget" monitoring. Your environment is too dynamic and complex for that -- and so are the threats that you’re trying to detect.

When you get a bid for a security monitoring system, go ahead and double the number in your mind to add the people requirements. That way you'll have a better chance of success in your project.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.