Chief information security officers and other security professionals are in a bind. IT budgets are tight and CIOs are looking for cuts in their biggest budget line item: ongoing operational costs.
At the same time, regulations – like PCI and the UK government CoCo mandate – are adding a compliance process and reporting burden to IT. Finally, of course, the threat landscape continues to morph with more insidious threats emerging and overall risk increasing. What is a CISO to do?
Firstly, asking existing staff to 'just-do-it' with technology already in place is a cop-out. I have met with customers who have tried to address their added burdens of compliance reporting with existing products and tools and it is a losing proposition that wastes valuable security staff, forcing them to troll through logs or follow manual processes to address reporting requirements.
Modern log management products solve the log collection and compliance problem and they solve it well for just about every regulatory mandate. While this adds to initial capital cost, a well-selected (automated) solution should not add to ongoing operational costs and should in fact free up existing security staff for more strategic efforts ... security-related work.
Second, log management alone is not enough to solve the added security burden that CISOs face. While the compliance problem is addressed and forensics become more automated, there is still a gaping 'intelligence hole'. Recently, I met with with the CISO of a large enterprise with a very mature (and very large) logging and compliance solution. His collection and reporting infrastructure is probably one of the best in the world and gets the job done for compliance, but he is very frustrated.
Despite the mountain of logs collected, his teams cannot get actionable intelligence out of the data. His company is now looking to add a more sophisticated analytics layer to make sense of the morass of security data now available to him. Do CISOs today have to be faced with the same outcome? No, they don't.
A very large oil company (not the one spilling into the Gulf of Mexico) I know of has deployed a worldwide, integrated SIEM and Log Management solution; two billion logs and records are collected daily, thus solving the compliance and reporting problem. The real kicker, though, is that because of 'security intelligence' analytics, these 2 billion records are reduced to 24 actionable 'offenses' to be managed on a daily basis – thus also addressing a pressing need for security surveillance.
Last, but certainly not least, the lot of the CISO has clearly changed. During the early days, the technology-focused CISO could only select a siloed security product to solve a specific security problem. Different security problems were addressed, but technology proliferated throughout the enterprise. Now, CISOs are being asked to solve security problems and how they affect business problems. Budget, efficiency and operational cost considerations are used to measure the effectiveness of the CISO, in addition to security. When it comes to compliance and security, how to automate key processes is the question. But, selecting another narrow point product is not the answer! Instead, CISOs must look to more comprehensive solutions that offer:
Intelligence: Your solutions should have sophisticated analytics that add intelligence to your operation. The CISO I mentioned earlier selected his not-so-smart log management solution when there was no real alternative, but that is not true today. If your budget won’t let you to purchase all capabilities today, make sure your technology solution will get you there easily without having to purchase yet another product.
Integration: Disparate point products add operational cost and will be prime targets for the CIOs budget-cutting ax. Look to technologies that integrate multiple functions and reduce the number of 'consoles' your staff has to monitor all day. Your selected solutions should reduce the number of products you have to manage today and in the future.
Automation: Demand auto-discovery, auto-tuning and hundreds of out-of-the-box 'intelligence' rules. You should not have to bake this cake from scratch! Stay away from first-gen SIEMs that need armies of professional services staff to get up and running, and that requires your staff get a PhD in tuning .