Departmental politics, bureaucratic fiefdoms, and petty personal motives can all play a big role in breaking the best of monitoring intentions. Rick Caccia, vice president of product marketing of HP's ArcSight, recently had this fact illustrated vividly when he visited a security professional in the field. The security guy was an ArcSight customer who had used the SIEM for security logging and correlation for some time, but whose company used a different product to collect logs for IT operations.
"I said, 'I don't understand why don't you collect those logs, too? You're happy with the product, you have plenty of storage space, there's no licensing restrictions. So why don't you collect the IT stuff?'" Caccia recounts. "He said, 'Well, I probably should, but the problem is if I start collecting some of their data for my analysis, the first thing they're going to do is say is I'm now responsible for maintaining all of the IT logs and dump that onto me. I don't want to pick up their job for them.'"
According to Caccia, this is an important type of issue that has nothing to do with technology and everything to do with leadership and team building. And it is one that security consultants, service providers, analysts, and vendors report as one of the leading causes of monitoring failure. There are no overwhelming statistics out to support the claim, but security vets have certainly collected a heap of relevant war stories.
"I couldn't think of only one story to tell. I have so many, both from personal experience as well as client experience," says Mike Murray, managing partner at MAD Security. "My favorite one involved a Fortune 100 organization whose security team discovered a rampant botnet infection, but was told by the desktop group -- which happened to be the group that the CIO used to run -- that 'no problem existed,' and they suddenly found all access to the firewall and AV admin consoles revoked."
Jon Heimerl, director of strategic security at managed services firm Solutionary, says he sees IT politics at play all of the time. One time, he saw an IT group that ran an organization's external firewall poo-poo the notion of managing firewall rules and individual connections through the firewall.
"Their feeling was that it just took too much of their time to manage. To solve their 'problem,' they installed a network route around the firewall, which allowed unscreened, unfiltered, unlogged access to their internal network," Heimerl says. "They deliberately excluded the modified system from logging and monitoring so that enterprise network would not see the modified system, the unapproved changes, or the traffic from the external network."
This "patch" in the firewall configuration remained on the system for at least five years before the "improvement" was discovered, Heimerl says.
And it isn't just intradepartmental IT rivalries that can ruin monitoring initiatives. There is the age-old issue of IT and line-of-business conflict as well. For example, Heimerl tells of a marketing department at a large high-tech retailer that wanted to do test marketing and exchange information with partners without going through the "'red-tape" of involving IT.
"They thought the formal process would make things too complicated, would increase cost, and would take too long," he says. "So they just bypassed corporate IT and security completely."
The marketing folks forged ahead, putting a website online that used default services, users, and passwords on an unpatched systems. Solutionary found the site during some external testing that the firm's IT department hired them to do.
"During external testing, we identified the vulnerable marketing system almost immediately, and were able to jump into the corporate network within minutes, effectively bypassing their firewalls completely. Fortunately, we found the gaping hole within minutes of testing," Heimerl says. "Unfortunately, the system had been up for months, they had no logging, no monitoring, and otherwise had so little security on this system that we were unable to tell if anyone else had used the same path to breach their network."
Miscommunication among groups is commonplace in many enterprises, says Joe Gottlieb, CEO of security information and event management tool vendor SenSage. "We see customer challenges in this area all the time," he says.
"Typically, it’s an anomaly that the network security team spotted [an issue] a week before an advanced persistent threat occurred -- but they didn’t see the full picture, so they fixed their policy setting and moved on," Gottlieb says. "Had they shared that information with the endpoint guys, they might have correlated other incidences that pointed to an attack.
"It’s not just the monitoring results that aren’t shared -- many times, a policy is set in one group which affects another group," Gottlieb adds. "But again, because they don’t have established processes of sharing, it’s only discovered when something disrupts the infrastructure. For example, the application guys make available a certain app to mobile users. They don’t indicate that to the endpoint or network guys, and this introduces both policy disruption and potential system/network issues."
These are obviously not easy problems to solve, Murray says. In order to begin to make headway, technologists need to sharpen their people skills.
"This is a business problem that security/IT people can't solve the way we like to solve things. We tend to want to approach our problems from a controls perspective. We search for solutions that can be easily codified and implemented," he says. "But problems like these are more people problems, and we in IT - -and security, especially --n eed to become more adept at navigating the landscape of the organizational quid pro quo."
This people-handling minefield might seem like a big stumbling block for technologists. However, IT and security folks' technically geeky nature could actually end up being a big boon in helping to start meaningful change that will improve security monitoring and policy enforcement, says Idan Shoham, co-founder and CTO of Hitachi ID Systems.
"The issue is 100 [percent] a business issue," he says. "I see IT increasingly be the driver for business process improvement, even for processes that are not particularly focused on technology or on the movement of digital data. The reason for that seems to be that IT people have both an inclination and ability to look at business processes in a methodical and critical manner, more so than any other business group."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.