By Mike Rothman, President, Security Incite and author of the Pragmatic CSO
http://securityincite.com or www.pragmaticcso.com
As the first article in a 6-part series on the specifics of log management, I want to introduce the concept of the Pragmatic CSO methodology and go into how/why the idea of log management is important to achieving the goals of the Chief Security Officer. This piece will lay the foundation for the journey we will take together over the next 6 months.
First and foremost, security professionals are under siege from all sides. Their bosses don’t understand what they do and why it costs so much money. It’s pretty unlikely that auditors would consider the CSO a friend either, given the traditionally acrimonious relationship between the security and audit teams. We shouldn’t forget the bad guys, who keep using new and innovative attacks to compromise personal information and steal critical intellectual property.
The typical security professional I work with has trouble getting funding for key projects, justifying his/her existence within the organization, and ultimately being perceived as relevant to the operations of the business. All of this impacts their ability to be successful in protecting the information assets of the organization. Yes, it’s a pretty big problem.
In over 15 years working in the security space and looking at the problem from all sides, I’ve pinpointed a rather conceptually simple reason for this issue. In a nutshell, security people talk technology and their customers talk the language of business. This disconnect has become a chasm and really impacted the ability of security professionals to be successful. So in order to be relevant moving forward:
“Security professionals must learn to talk the language of business.”
This is what being a Pragmatic CSO is all about. I have built a 12-step program (yes, very similar to those other 12-step programs) to help security professionals overcome their addictions to throwing new products at every new attack vector. To help these folks build a value proposition and run their security operation as a business. Basically to learn how to be comfortable in the executive suite, since that’s where we belong.
But before we get into those nuances, let’s level set a bit and talk about the five reasons that we do security in the first place. Here goes:
- Maintain business system availability
- Protect intellectual property
- Limit corporate liability
- Safeguard the corporate brand
- Ensure compliance
That’s it. I’ve asked hundreds of people for other reasons why we would do security and everything comes back to one of these core needs. That was liberating, eh? Now we know why we are doing this. Next, let’s discuss the Pragmatic CSO process a bit.
In a short piece, I can’t really get into a lot of detail about how the process works, but let me outline it based on the sections.
- Section 1: Plan to be Pragmatic – This first section is focused on figuring out what is important, taking a baseline of your environment and then managing the expectations of the senior team – so they know what you are up to and why.
- Section 2: Build a Pragmatic Security Environment – Next up we build a business plan to guide the operation of the security environment, secure funding for the critical projects and actually go out and buy some stuff.
- Section 3: Run your Security Organization Pragmatically – Then we spend time keeping things running, taking an aggressive monitoring approach to figuring out when you have a problem, building a containment strategy, training your users and testing your defenses.
- Section 4: Communicate Your Value – Finally you need to toot your own horn a bit and build a reporting, communications and compliance capability to substantiate what you do on a daily basis
Each of these sections is meant to help you get deeper and deeper into the business operations of your organization and spend your time protecting the “right” stuff, as opposed to all the stuff. You can get more detail on the Pragmatic CSO process at http://www.pragmaticcso.com/poster.html.
I know what you are thinking. What does any of this have to do with log management? It turns out to be a lot. The key requirement of Step 1 – Assess the Value of Your Business Systems is to understand what is really important to your business. Since no one (that I know anyway) has a money tree in the back of their office, you need to make hard decisions about what to do and how to prioritize your activities. How do you do that without knowing what business systems would crater your organization if they went down or were compromised?
Right, you can’t. So once you understand what is important, you need to be able to track the progress on how those resources are protected. You certainly could do a lot of praying and maybe that would ensure the critical business systems are protected. But in my experience, this leap of faith is one that senior executives don’t “get.” So we need some hard numbers or at least an idea that the trend is moving in the right direction.
The log management function, which gathers activity information about the devices (networks, servers, applications, etc.) that run these business systems in a forensically sound and very scalable way, provides that kind of information. You can see what’s working and what isn’t. You can set thresholds to help you understand what is going on in your environment, and be able to fine tune your defenses to ensure the right systems are protected at the right times. Step 7 of the Pragmatic CSO process is called “Operate/Monitor Your Environment” and log management is a key aspect of being able to do that.
Next month I’ll delve more deeply into this topic, providing detail on how to leverage log management in your operational processes and keep the trains running on time.
Until then, Be Pragmatic.
Cool Tools and Tips
Rightsizing your Log Management Solution
Log management expert Randy Franklin Smith discusses how to ensure your organization gets the most out of its log management investment, key requirements and architectural differences to consider, and caveats and risks to watch out for as you spec your log management requirements.
8 Sure-fire ways to beat a security audit
You might have your access control process fixed, but you probably haven't adequately trained your administrators on how to manage it. You might have your configuration and change control systems in place, but you probably haven't sufficiently documented the process for using them. If you've adopted strict security policies, your users likely have found a way of avoiding or bypassing them altogether.
Make no mistake -- auditors will find fault with your systems, your processes, and the people who operate them. They're auditors. It's their job.
Regulatory Compliance: Stay ahead to keep on top of issues
The key to regulatory compliance is the ability to enforce and monitor security policies and processes at any given time, all of the time. And an SMB must plan and maintain an effective security strategy for its business infrastructure from the onset to serve as a solid foundation for regulatory compliance.
Prism Microsystems and Type80 extend the power of Log management to the Mainframe Environment
Partnership provides large companies with unparalleled security and operational visibility that extends from the mainframe to the application level
Featured Success Story
Credit Union Central of Ontario automates compliance and proactively manages IT security with real-time alerting, advanced log analysis and defense-in-depth capabilities.
See Us At
Get the most out of your EventTracker investment with in-depth demonstrations and hands-on exercises that teach you how to use EventTracker to efficiently monitor, analyze and report on event log data for comprehensive enterprise-wide security, compliance and network optimization.
When: September 18th -19th 2007
Where: Columbia, MD
Register Now! Seats are Limited
This document is provided for informational purposes only. The information contained in this document represents the current view of Prism Microsystems, Inc. on the issues discussed as of the date of publication. Because Prism must respond to changes in market conditions, it should not be interpreted to be a commitment on the part of Prism and Prism cannot guarantee the accuracy of any information presented after the date of publication.
INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND FREEDOM FROM INFRINGEMENT.
The user assumes the entire risk as to the accuracy and the use of this document. This document may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included; 2) All copies must contain Prism's copyright notice and any other notices provided therein; and 3) This document may not be distributed for profit. All trademarks acknowledged. Copyright Prism Microsystems, Inc. 2005.
Prism Microsystems, Inc.
6990 Columbia Gateway Drive Suite 250
Columbia MD 21046
Back to Newsletters