Can’t see the wood for the trees?

By on
Can’t see the wood for the trees?

As CISOs, we have to play a long game, focusing on longer-term investments in security that might take years to mature, but will make our businesses ultimately more secure. And the longest game I play is with security monitoring.

The passage of data over the web is a critical part of doing "good" business, but it brings new scales of risk. Threats are magnified by allowing much greater impact and a bewildering speed of spread. Mass malware attacks such as Sasser and Slammer have illustrated this with chilling effect.

Business organisations just cannot react at this speed. Equally, the internet threats that hit one organisation may spread to many. So the security of one business now depends on the security of many, as illustrated by the various distributed denial of service (DDoS) attacks.

So we must monitor the internet threat and respond quickly and effectively. This has not historically been done.

The main step to effective security monitoring is to achieve advances in the technology tools, together with business-to-business spread of best practice. But this needs to go beyond the faddish attempts to find the "silver bullet" through technology such as IDS or IPS.

Not only will no single technology be enough, but technology without process is never entirely effective. The "IDS is dead" message is not an example of failure in technology, but in understanding and process. We need to devote more intellectual energy and sheer manpower to the task of making good use of the monitoring data being generated.

Only through intelligent filtering and less data will we see the few, clear messages about the state of our security.

This means three things: monitoring technology that enables intelligent filtering; integration of technologies to allow cross-tool filtering; and a risk method to selecting the sources of monitoring data to focus on, thus reducing the size of the problem from the start. This filtering is not only important to make sure that the volume of monitoring is more practical, but also to increase its speed – do less, but more focused and faster.

So how can we take risk data out of the theory or system development stage and apply it rigorously?

I believe it means some form of risk automation – to assess risk, compile records of risk ratings, and apply that data to select which assets to monitor.

But the current available tools are still maturing. More seriously, they are not easy to manage on any network scale and almost never allow for easy data integration, even within one vendor's products.

We must demand better tools from vendors, and for better co-ordination among them on common standards and APIs. Without this, our businesses are at risk – from the internet and from each other's lack of real security.

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?