More Than The Team Can Handle

Anton Chavukin at Gartner has a recent post about security monitoring on the Garter blog.  I don’t have access to Gartner papers anymore, but he published a couple key quotes.

The first was about layering controls.  I think most leadership groups understand that at this point.  It has been a while since I’ve heard of anyone thinking a single control is sufficient to stop 100% of all security threats.

The remaining quotes all seem focused around poorly responding to a security incident(s).

Clients often approach security monitoring from a specific driver, rather than from a larger perspective. This is no surprise, because they are generally trying to address a specific regulation, risk pain point or deal with an incident that just happened, and focus on what is the best and most cost-effective solution for that alone. But this path is dangerous, because it can lead to leaving large gaps in some areas and overspending in others — in part due to a focus on differences, rather than commonalities, in threats and attacks.

Do not buy more monitoring than you need — or can handle. Automated monitoring and response systems can be deployed widely, but many require investment in time and expertise. […] Gartner research consistently demonstrates that organizations procure much more security control functionality than they can absorb, deploy or and operationalize (this challenge applies to all controls but is rampant for SIEM and DLP, in particular).

How do you handle that?  If the business unit is behaving 100% reactionary and wanting to over reach the organization limitations, what do you do?  From my experience, it is typically the security person/people battling the business, the resellers, the vendors, and the outside consulting.  You can try your best to make positive of the situation given the available resources, but:

  • Management is assuming they have a fully polished security posture.  A lot of money was spent on the fancy SIEM or DLP solution.  The consultants, resellers, and the vendors are all claiming the security team has extremely powerful tools to do extremely advanced security work.
  • There will be another incident in the future.  There will be information in the logs in the fancy SIEM or DLP solution.  Is this new environment not configured to alert or generating more alerts than the team can handle?  In either case, the root cause is going to include that the information was available in the tool.
  • What happens to the morale of the security team?  They either have a product they don’t have time to properly manage or they don’t have time to respond to alerts.  Either situation is going to dramatically increase burnout of the team members.

Security Summer Camp 2014

This was an interesting Security Summer Camp.

I stayed at the Tuscany the entire week.  I can not stress how awesome the Tuscany is.  You’re right there for BSidesLV and then you have the shuttle that runs during DEF CON.  It is amazing.  The Las Vegas Strip is only a half mile walk as well.  The change of venue for DEF CON next year will make the Tuscany an even more attractive venue.

I really liked the DEF CON badge this year.  It is much nicer than the DEF CON 20 badge.  I don’t care for the Egyptian theme from DEF CON 20.  Of DEF CON badges though, 21 is still my favorite.  The playing card design on a circuit board is just awesome.  The DEF CON 20 badge is my favorite of any conference.

The BSidesLV badge from this year is also pretty cool.  I like the poker chip design.  It is way better than the chunk of metal from 2013.

Of swag, I planned to buy a copy of Adam Shostack’s book on Threat Modeling.  Given that he is being accused of rape, I decided to hold off.  I’d think that if I were accused of a crime, I’d at least offer some sort of response.  The silence is strange.

The BSidesLV pool parties were my favorite evening festivities.  I didn’t bother attending any Black Hat parties this year.  The pool party at the Tuscany was awesome.  theSummit benefit was fun, but BSidesLV beat them.  I wanted to participate in Bloodkode again this year, but I had the sniffles and was disqualified from giving blood.  I did finally participate in Be The Match though.

I enjoyed Jessy Irwin talk on education security at BSidesLV.  I’m use to the issues with manufacturing and patching.  You have to wait for downturns of processes for industrial control equipment.  It’s life.  I never considered that IT professionals in education have similar restrictions.  Patching has to be done during breaks and Apple’s release in September is amazingly inconvenient.

CustoDiet by Quadling and company seems like a nice idea for a tool.  I’d love for a platform for being able to provide security to my family networks.  Hopefully it is a successful project.