The effective security buyer

Sometimes I’m glad I keep around the mounds of free trade publications that tend to pile up on my desk.  About once a month I start going through the stack but I never quite finish.  I got through placing 4 or 5 publications into the recycling bin before I read How to be an effective security buyer by Andreas M. Antonopoulos in the May 2011 on-line edition of Network World. This article (more than others I’ve read) takes a basic and practical approach to the hard buying decisions (and trade-offs) we all have to make.  The buying decision criteria is crisp and fresh and discourages simply relying on vendors that would “draw you into a single-vendor closed integration package” of stuff.  His contention is, “If all security buyers make slightly different choices, the industry will shift, dramatically and rapidly. There has never been a greater need for change in our industry.” Below is the criteria, how Splunk fits neatly into the criteria and can play a significant role in the security of your organization.

Here are some of his quick tips on how to be an effective “buyer” of security:

“Never buy a single purpose tool: Instead, make sure every tool or appliance you buy can be applied to different types of risk and attack.”

The first type of tool that comes to mind is the unified threat management firewall. Gone are the days when this type of device couldn’t scale for large enterprises. The gateway firewall is now your anti-spam solution, an IPS, and, anti-malware solution and more.  He goes on to say, “Evaluate whether the tool or security solution covers: External and insider attacks, Malicious and inadvertent incidents, Know and unknown threats, Automated and targeted attacks, and Heterogeneous OS and platforms (including mobile).”

Splunk with its ability to accept any kind of data can be used as a platform to monitor for application, OS, and network layer attacks. Given the right kinds of data inserted into Splunk and the statistical analysis and correlation capabilities built into the search language, Splunk can move beyond classic security use cases to detect and monitor for fraud and insider theft.

“Avoid management feature overlap.”

“You don’t need another reporting engine for compliance. You need the tool to integrate with your existing reporting engine.” Every tool seems to come with some kind of compliance reporting functionality of its own and a way to get the data into a data management system. In addition, all of these point solutions have their own alerting functionality. Face it, there will not be wide adoption of any standard supplied by a vendor. Syslog, syslog-ng, a wide variety of XML formats, and the odd ‘we-log-everything-to-this-file’ will be the way things are for the foreseeable future.

Splunk is a single system that can accept any ASCII text, and centralizes all logging and auditing across the IT architecture employing role based access controls, policy management, with configurable real-time alerting and notifications.

“Focus on assets, not threats.”

“If attackers can simply switch attack vectors, they will. If they have to switch targets you have disadvantaged them.” This reiterates the need to buy tools that can provide more than one type of protection. In my opinion, this is also signal that its really all about data protection and asset prioritization. Tools that provide the asset (and data) protection need to be monitored to ensure assets and the data they contain are accessed only at the right time, by the right person, and that data and application integrity is maintained.

Splunk allows the user to create automated risk-based searches that provide time-based correlations monitoring patterns of weak signals that can mean new threats to assets and the data they contain.  More important, owing to the scalability of Splunk, these patterns can be observed over long periods of time and trended so that business decisions can be supported.

“Mortar, not Bricks.”

“Buy “glue” software and security solutions that tie together various controls, monitoring systems, notification systems, etc.”  System data generated by security systems, applications, physical security systems, OSs, and other systems are all purchased in support of IT operations, Security, compliance, web analytic, etc. Each of these systems purchased for each operational siloed use case can work together.  What security professional wouldn’t want visibility into the web analytic data to see how many time the user visited the site and where they clicked prior to a cross-site scripting attack.  What security professional wouldn’t want system performance data to know that half the web servers spiked to 90% CPU utilization without any configuration change on a load balancer, no indicator from a security system, and without a change or upgrade to the OS or application.

With Splunk as the glue spanning device types and use cases, silos are broken down, there’s an increase in speed getting to root cause, and less finger pointing.

“Empower people.”

“Security cannot be automated as much as you’d like… empower the people by giving them tools that multiply their impact and productivity, instead of trying to replace them.” As much as there is a temptation to look for a solution that lets me reduce the number of FTEs working on the security team, automating everything, relying on vendor supplied rules and alerts and canned reports isn’t making anyone more secure. In an attempt to automate security, many vendor solutions only succeed in numbing and dumbing-down security.  Security outcomes are preordained based on what vendors tell us and not what we look for ourselves. The focus needs to be on tools that encourage security people to ‘think like criminals’ and spend their time using their imaginations asking the data ‘what-if’ questions that lead to better security.

Splunk allows for a level of creativity that lets the security professional ask questions of their data in real-time without touching production systems or security devices themselves.  While there needs to be an overarching security policy and specific dashboards of metrics created to support monitoring for trends, Splunk allows for the security analyst to create their own dashboards about things they find of interest (or concern). Creativity is becoming a scarce commodity and it need to be nurtured.

“Standards, Standards, Standards.

“Interoperability and “glue” infrastructure requires open APIs, open protocols, open formats and open standards.” OK yes the lack of standards can be a bad thing. It does make things harder when we want to unify our view of security across multiple systems and multiple use cases. This problem has been around for at least the 15 years I’ve been in the security space. Not every vendor will ever support the same sets of standards and we all need to get over it.

With Splunk’s ability to accept any kind of ASCII text, technology has finally caught up to this problem. I really don’t think this is that big a deal. Sure, for those organizations that run more than one type of firewall or AV in their organizations because of M&A activity – hey, its a challenge to report on the security health of an entire organization. Splunk allows for normalization of data at report time so that firewall messages DENY and BLOCK can be normalized to a single term and reported on in a unified way.

This article is great if we could all start from scratch in buying our security architecture products and solutions. We all need to buy the best and right tools for the right job(s) we can. But, getting Splunk can be the pain reliever we need to get our security architecture working together, provide an integrated approach to many use cases, and support the kind of creativity we’ll all need to keep ahead of the next wave of threats.

Posted by