Cutting through the fog of security data

The past few weeks -- nay, months -- have been filled with people, process and project issues. I wondered if I would ever get any real work done. Real work to me is security work, not "adminisdribble."

One of the worst aspects of adminisdribble is that it buries me in paperwork. And the paperwork is following me into the security realm. The agency used to get by without much documentation; as long as we had log files to reference when a situation arose, we were OK.

Nowadays, though, it seems as if everything needs to be documented, with audit logs pulled together for management, auditors and attorneys. It's getting in the way of our real security work, so we have to get on top of it.

I have a vision in my mind: to be able to show anyone who needs it the security profile of the agency at any given moment. It would take all the data that we're generating from routers, intrusion-detection systems, firewalls and a multtude of other security tools and organize it for easy, at- a-glance digestion.

We certainly have no dearth of data. This past summer, we bought half a dozen new and beefy servers. One we designated as the security server, for housing the security software and log files. Only three people have access to it. We also purchased security software and appliances that let us monitor and document activity on the network.

We have router and firewall logs, intrusion-detection logs, network-monitoring data, Web server logs, and server event and performance-monitoring logs. We can even garner log files from every computer in the agency. We can document everything that happens on the network -- what goes out and comes in, and who accesses what and when.

It's all a bit overwhelming. Who's going to monitor all this stuff and correlate the data?

Networking specialists understand the concept of setting a baseline: becoming familiar with what normal activity and thresholds are, so that when abnormal activity pops up or normal thresholds are exceeded, you can spot it. That's the sort of thing we have to set up with all our new security toys so that we will receive alerts when real anomalies or malicious patterns are detected. It would be an acceptable practice to just eyeball the log files, looking for anything out of the ordinary. Unfortunately, we don't have enough eyeballs to do that adequately. And my staff is overworked as it is, leading to fatigue, distraction and competition with higher priorities.

As I was struggling with this issue, a faint light began to shine inside my tired head. Haven't I seen this movie before?

Yes, of course -- it was all coming back to me. (Honestly, I think I have "sometimers" disease; sometimes my mind is sharp as a tack, and other times it's as dull as a board!) As my mind cleared, it suddenly became obvious to me that the problem we were facing is fairly common and already well defined.

Join the newsletter!

Error: Please check your email address.

More about ArcSightCiscoCiscoSharpYahoo

Show Comments