CISO and the Three SIEMs

Published on January 2017 | Categories: Documents | Downloads: 21 | Comments: 0 | Views: 140
of 4
Download PDF   Embed   Report

Comments

Content

CISO and the three SIEM’s
Not your typical Fairy Tale… Once upon a time, there was a Security guy named CISO. Having recently implemented several firewalls and intrusion detection sensors into his corporate network, CISO quickly realized it was humanly impossible to keep up with the alerts and warnings he was getting. In an effort to help make sense of all this data, CISO embarked on a long mysterious journey to find a solution to this new problem. His goal was to prove to management that their investments would keep the organization safe, productive, and would protect the company’s brand and reputation. This was going to be a tough sell for CISO, after all he had just convinced management to spend a significant amount of money on the best security devices he could find, and had not prepared them for the cost of a management solution. What CISO needed was a way to collect and analyze huge amounts of data so he could focus on his real job. Surfing the Internet to research his plan, CISO was overwhelmed with reviews, blogs, tweets, and way too many religious and political opinions. He poked around for weeks, read whitepapers, talked to colleagues, and eventually found himself at a crossroads, deep in a forest called SIEM. “Do I take the road most traveled, or should I trust my instincts and blaze a new trail for myself”, CISO was a little overwhelmed and confused. SIEM #1 was the biggest, brightest, and often called the most sophisticated SIEM in the forest. It had the most knobs to turn and levers to flip. CISO thought to himself, “This is what I need, all the reviews say it’s the best and even if it’s complex, I’ll have a job for years maintaining it. In fact, I doubt anyone else will fully understand how to use it so I’ll be considered a real guru.” SIEM #2 was very simplistic, but easy to justify since it was really just Log Management and a data-mining appliance, plus a combination of open source security related tools. CISO thought about this long and hard, but he wasn’t convinced this was the best approach, nor would it do much for his career. SIEM #3 was very intriguing, it had SIEM integrated into its framework, but also included capabilities none of the other vendors offered in a single package, this product could assist IT staff to rapidly determine root cause on almost any kind of Security, Performance, or Availability related issue. CISO only had one concern, and that was that this solution encouraged cooperation between independent groups within IT. CISO wasn’t sure if his IT peers would willingly embrace such a novel idea, especially since they already had so many different tools to work with. CISO was determined to pursue SIEM #1. He began the installation of the product on his

network, but soon realized he needed to hire the vendor’s professional services team to install and configure agents and integrate various modules to complete his testing. He also realized he would need at least 3 separate appliances to accomplish his goals once in production. Months passed during this evaluation, and while CISO was still trying to gain the visibility and control he so desired, the company’s network experienced a severe outage…nothing worked, they were dead in the water. Making matters worse, SIEM #1 still wasn’t operational, and was not able to assist CISO in determining if the outage was a security related issue. The vendor assured CISO that when in production, their product would give him what he desired and supplied CISO with a quote that looked quite promising. However, when he started to add up the cost of professional services, the resources needed to put it in production, and the manpower to keep the system up to date and running; the real cost was outrageous. CISO felt truly embarrassed that he’d invested so much time without really checking out the hidden cost of operations for such a bright and shiny object. CISO moved on to SIEM #2 armed with a new appreciation for the complexity of his last effort, and the vast amount of knowledge gleaned from his somewhat embarrassing experience. Ciso thought “I’ll just keep it simple by using a basic log management appliance for compliance reporting, and combine it with a few open source tools so I can make sense of all my security data”. CISO was excited by the prospect of building a really cool solution to solve his immediate need. He downloaded what he needed from multiple web sites, and purchased a very popular, but basic log management and reporting tool. “This is going to be great”, CISO thought. “Now I’ll be able to provide the reports I need to prove to management that I’m protecting the company from threats, and saving them hundreds of thousands of dollars by doing it my way.” He was ecstatic and could not wait to show his peers what he had assembled! Everything was going well, when one day the help desk called to ask if CISO could determine why a few end-users in Human Resources could not access an application on a server used for a mission critical business service. Now was his chance to shine and CISO jumped at the chance to show how his new system could save the day. First step was to check the server logs, he ran reports, did queries, but nothing jumped out at him as a problem. There were a high number of failed logins, but that didn’t tell him exactly where they were coming from or from whom, or why it was happening all of a sudden. The logs from his routers and switches all looked normal too! Next, Ciso checked the management consoles of SIEM #2 to see if anything suspicious had been occurring on the network over the last 24hrs, but again, nothing jumped out at him as a source of the problem. No security incidents had occurred, no rules had

fired, all charts and graphs looked normal. Maybe this system was too simple? This was starting to bother CISO, given all the time he’d put into putting these tools together, he must have missed something crucial in his design, the system wasn’t giving him the visibility he needed to determine the source of this problem. Who could he call for assistance? He had no support for his solution, and the open source crowd must have been focusing on their own troubles, since nobody responded to his public cry for help! Thankfully, after hours of investigation and failed attempts to determine the cause of this troubling situation, Human Resources suddenly regained access to the application they needed. CISO, and the company, had dodged a bullet. CISO’s efforts to find a product to help him gain visibility and control had failed to determine the root cause of both the network outage, and the service disruption his HR folks had experienced. SIEM #1 was so sophisticated and complex that he could not even get it to respond when he needed it most. It would’ve taken another six months and extensive professional services just to put it into production. SIEM #2 was clearly to simplistic and didn’t have the integration needed to find the root cause of anything. What was CISO going to do? Why can’t he find a solution that was “just right”? Then one day a friend named CCIE, told him about a solution his IT department was using. It automatically mapped out their network and consumed logs directly from all their devices without deploying agents. CCIE sort of bragged, “All you need are a few credentials and the system automatically pulls, stores, analyzes, and monitors changes on all our devices; so when something out of the norm occurs, or someone changes a configuration, I can be notified or quickly view a dashboard to determine who, what, when, where, why, and how it happened”. CCIE continued, “I also produce pretty reports that my executive team can understand, and it’s as easy as using my iPhone!” CISO was in shock, where did he go wrong, how did he miss this solution when he was researching his holy grail? Then CISO recalled seeing something so innovative it wasn’t even listed on the Gartner SIEM MQ. In fact, the product CCIE was using was originally SIEM #3 on CISO’s list. With a new focus and hope for a solution, CISO invited his IT counterparts from the network and systems team to attend a demo of this very new and innovative product. After seeing the demo the network team told CISO that they already had numerous tools they were using to solve their network problems. And that is when the light went on in CISO’s head! “Don’t you see, that is our problem” Ciso exclaimed. “You have your tools, I have mine, the Systems guys have theirs, and nothing is connected; so we just have a bunch of disparate data points”. More convinced than ever, CISO questioned out loud “How can we show Management that

we are not just a cost center with expendable resources, but instead a key source of enabling top line revenue growth”? “How can we prove to Management that IT is meeting its Business Service Levels and controlling cost if we don’t pool our resources and implement a common platform for Network, Performance, Availability, Security and Change Management? Finally, everyone understood what they were missing and realized that using this innovative, and extremely cost effective solution could help all IT Staff address the Network Performance Monitoring and Systems Availability challenges they all faced in addition to the Security functionality CISO had set out to find. Finally, after so many trials and tribulations, CISO presented a solution that was “just right” to his management team. Now CISO’s company has what it needs. IT Services is contributing to top line revenue growth by providing consistent service levels and supporting new applications to expand their corporate footprint. The network team replaced their disparate, isolated tools and the Security team can now make sense of a flood of data produced by their best of breed security devices. The Systems and Server group can now know when to patch critical servers without impacting productivity. All are sharing a common change management database and each have their own unique business service views so they can focus on their own duties while working from a “Single Pane of Glass”. CISO and his company are living happily ever after. The Moral of The Story: 1. Don’t take reviews, tweets, and blogs at face value. 2. Break the operational Silo’s that are keeping IT a cost center. 3. Challenge traditional ways of solving problems, there are new innovative solutions to help reduce cost, and improve root cause analysis. 4. If one bed is to hard, and one is too soft, keep looking…there is one that is just right! THE END

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close