From: NetIQ
by Michele Hudnall
Threat detection and management will be required to monitor continuously and in business context with regard to level of risk. Given the rapid change, information requirements, environment complexity, growing devices, explosive data growth and growing real-time analysis requirements accessing that data, risk of threats to the organization is growing exponentially. It will no longer be acceptable to audit for compliance at fixed intervals. Real-time, service contextual threat risk will be a monitoring requirement in 2013.
Current Conditions . . .
There has long since been dividing walls between the development, data center operations, and security organizations – one builds things, one just runs things and the last just secures things. Due to the growing consumerization and BYOD within organizations, many analyst firms discuss a term of DevOps. DevOps refers to the closing gap between the application development and operations organizations, where applications and services must be developed with manageability in mind to facilitate an AppStore and BYOD environment. In June I posted a piece discussing not just DevOps, but DevOpsSec. Security, risk and threat management can no longer be left as an audit / certification function done at static times summarizing overall risk. In fact I would go so far as to state, static compliance reporting after-the-fact is useless as it is merely reporting risk and past compliance. Threat monitoring must be continuous and in context to the business and potential impact and the relevance has risen in priority now more than ever with the proliferation of devices, use of data and virtual boundaries.
The awareness of this convergence and requirement manifests itself in the Federal Government, as an example, and the Department of Homeland Security (DHS) and the numerous articles discussing their initiative for Continuous Monitoring. It’s no longer enough to audit, but scan daily seeking out vulnerabilities and the relative risk those vulnerabilities present each agency. Another example is Heartland after the 2009 theft of ~94 million credit card records and now their security infused culture as discussed in a recent article, “Heartland CSO Instills Novel Culture that Promises Proactive and Open Responsiveness to IT Security Risks”. The interesting concept in this discussion is Security-as-a-Culture. Again, auditing becomes proactive and continuous, rather than static, and security is a core principle in the organization as a culture.
There is a lot of discussion about compliance and certifications and those that suffer a breach have always been compliant and certified. These static audits and checks for compliance are merely documenting and checking boxes that controls and processes are being adhered to, not the current level of threat and potential impact. Breaches, like service outages, are usually caused by changes, whether approved or unapproved and illustrates the point that static audits do not adequately secure the environment without monitoring for these changes and do not put the threat risk in context of business impact. A recent article in Networkworld discusses “Why Risk Management Fails in IT”.
According to Gartner, “Gartner: Big Data to Drive $34 Billion of IT Spending in 2013”. The mindset is shifting from securing things to securing the data and information as it can be accessed from anywhere, anytime and from any device. I was privileged to participate in a recent Huff Post Live segment and posted on the discussion (Tech Game Changers) where we also addressed this subject of openness of data and the transformation of industries with apps built on top of the data through open access. Security should not hinder the rate of speed of transformation, but rather an attitude that the good far outweighs the bad. There are several industries (Healthcare, Federal, Retail, etc.) undergoing great transformation driven by Big Data where the approach to security is also transforming (more on that subject “Big Data or Big Brother? Security – Value Analytics – Privacy?”).
Dr. Anton Chuvakin, Gartner Research Director, recently conducted a webinar regarding the “Future of Security Monitoring and SIEM” that also discusses the transformation of current security practices. Data from the Verizon DBIR 2012 indicates:
- 84% of investigated breaches had log data available
- 85% of breaches took weeks or more to discover
- 92% of incidents were discovered by a third party
These metrics mirror data center operations metrics regarding outages, duration of time triaging the outage and outages reported by customers. The common challenge is viewing disparate events and metrics in isolation and after-the-fact reporting, rather than in real-time and in context of the service and business impact. Dr. Chuvakin concludes his webinar with thoughts surrounding Application Security Monitoring for the lack of a better term that is emerging. I would suggest it is the Service, not just the application. Today Service and Application are used interchangeably, but many services are made up of many applications and again we must get away from monitoring technology and move to monitoring Services.
Final Thoughts . . .
The time has come for operational and security events to converge, be contextualized and monitored in real-time. The Real-time Service View requirement must answer both the current availability / performance of a service, as well as the current level of threat with business impact considered. This practice puts both operational and security events in context of the service and monitoring in real-time diminishing the time required to detect and triage and will turn a reactive organization into a proactive organization avoiding breaches and outages impacting the business.
I believe in 2013 what has been a common operational requirement will be shadowed in comparison to the explosive growth in attention to transform threat management into real-time, continuous service monitoring.
Leave a Reply