Perimeter
7/31/2012
11:40 AM
Wendy Nather
Wendy Nather
Commentary
Connect Directly
RSS
E-Mail
50%
50%

The Most Expensive Part Of The Monitoring System

That would be the carbon-based life forms

Any security monitoring system comes with a certain amount of good old-fashioned alerting: that is, identification of deviations from an expected state, and bringing them to the attention of a response unit. Picking up a deviation is easy; interpreting it in the context of a whole running system, on various layers, and with business activity is something else entirely.

The more intelligent analytics today can work with clever algorithms and heuristics to define more complex deviations based on historical activity -- for example, a "learning" monitoring system can record network or user activity and alert on events that exceed thresholds from that baseline, such as being able to tell the difference between human-speed clicking through Web pages and automated probes.

But there’s just no substitute for an admin with intimate knowledge of the system who can look at something and immediately say, "That doesn’t look right." Or who can say, "Oh yeah, we meant to do that, don’t worry about it."

Once, we got a database activity monitoring product set up, and happily started watching the transactions it captured. But I saw a username that wasn’t like any other that we’d ever created -- it was the name of a well-known fictional character, and it was accessing some very sensitive records. I went tearing down the hall in a panic to the DBA lounge, asking them if they’d ever heard of this user who looked like an intruder. It turned out to be a legacy database account with admin rights that they couldn’t get rid of. The database admins had that historical knowledge and day-to-day context that I didn’t have.

A DBA, a developer, a network admin, and a security person can all look at the same events and interpret them in their own contexts. They can also get different information out of those same entries. They’ll know who normally adds firewall permissions in response to personal visits from the CIO and for what purposes, such as one-day access to a test server to demo an application for a hotel conference room full of VIPs (and, of course, nobody remembered that they needed the access until after the danishes had been passed out). This is the sort of thing that you just can’t program, no matter how many brainiacs you have working on your SIEM.

The end result is that your monitoring simply can’t work without a sufficient supply of carbon-based life forms.

Tuning, day-to-day monitoring, and response all have to be done by these very expensive components -- and remember that good, security-minded technical talent is hard to come by. This is what trips up some organizations: They think that putting in an automated log management and intrusion detection system will replace people, and it won’t. It can make the staff’s life easier, sure, but it can’t do all the work. In fact, in complex environments it can’t even do half the work.

If you think about it, no one person in your organization can know simultaneously what’s going on in the accounting system, on the legal team, in lines of business, in procurement, on the network, in development and testing, and on the Exchange server (although I once worked for a brilliant COO who came damn close to being able to do it). If a person can’t know all the context to interpret events, then neither can a SIEM.

A SIEM installation requires a heavy investment up front to get it started, but it also requires an ongoing investment in humans to keep it running. This is what can put security monitoring and intrusion detection beyond the reach of under-funded enterprises. Prevention products tend to be less expensive than detection products in terms of the number of knowledgeable people needed to make them work effectively. A prevention product may plausibly be marketed as "set and forget," but you can never, ever "set and forget" monitoring. Your environment is too dynamic and complex for that -- and so are the threats that you’re trying to detect.

When you get a bid for a security monitoring system, go ahead and double the number in your mind to add the people requirements. That way you'll have a better chance of success in your project.

Wendy Nather is Research Director of the Enterprise Security Practice at the independent analyst firm 451 Research. You can find her on Twitter as @451wendy.

Wendy Nather is Research Director of the Enterprise Security Practice at independent analyst firm 451 Research. With over 30 years of IT experience, she has worked both in financial services and in the public sector, both in the US and in Europe. Wendy's coverage areas ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.