Finish Or Start New?

What’s better for security: finishing the deployment of a functional product or start fresh with the modern product? It seems like it really depends on circumstances.

I had an alright MSSP. There were some problems though. Picking a new MSSP allowed me to fix some configuration issues I couldn’t resolve due to organizational inertia.

On the other hand, I had hardware for network segmentation and additional hardware would have been pretty affordable. My issue was a lack of FTE’s. When leadership buy-in was available, we had to use a hot new product and start over. I’m not sure we were any better off after the replacement. The new product wasn’t really doing anything that much better. It had the potential, but we lacked the FTE’s to make it happen.

Similarly, I went from an integrated IDS/IPS that wasn’t managed to a newer modern profiling stand-alone IDS/IPS. Given the previous product was integrated, I’d argue we’d clearly lost effectiveness since the FTE cost was higher with this stand-alone product.

On to Monitoring.

I’ve got a SIEM type product. It’s not fully deployed, but who can say their SIEM is really fully deployed and tuned? I’m looking at UEBA and analytics platforms, but I suspect my time would be better spent focused on a well tuned SIEM than 3 partially deployed platforms. The vendors mostly agree/admit that the platforms all have steep FTE requirements for success.

Microsoft ATA is extremely affordable and claims to be a UEBA type product. It’s ignoring the non-Microsoft user realms, but can an attacker get in and get data out of an environment without touching anything Active Directory?

I couldn’t begin to write anything close to comparable to Anton Chuvakin’s blog post on the subject of security analytics.

It seems like money and FTE effort would be better devoted to furthering a SIEM deployment completeness / maturity. 

UBA / User Behavior Analytics

I’m in the process of evaluating behavior analytics tools. UBA and UEBA seem to be the popular acronyms for the product space.

It appears the space has three separate platform styles. You’ve got your add-ons such as CyberArk Priveleged Threat Analytics, Microsoft Advanced Threat Analytics, and Rapid7 InsightUBA. You’ve got your ‘independent’ platforms from Exabeam and Gurucul. Finally are your network analytic platforms such as Observable Networks and Pwnie Express.┬áMy prediction is Microsoft is going to absolutely crush the user competition.

If you’ve already got a heavy Microsoft environment, ATA’s cost is negligible compared to the enormous additional cost of expanding your CyberArk or Rapid 7 environments. Those platforms can clearly ┬ácover more ground than just Microsoft platforms, but is it worth the additional cost and the proper environment configuration? It’s much easier to blindly stumble upon building a functional Microsoft environment than properly build a Linux environment. Local account usage seems significantly less common in enterprise Microsoft environments than enterprise Linux environments from what I’ve seen and heard.

I like the network analytics platforms, but they’ve got a battle against Cisco’s Stealthwatch platform. Cisco has a really weak ability to deliver in the security space, but they’ve got integration benefiting them here. It’s tough to battle against Cisco security products in a Cisco environment. We’ll have to see how the other network analytics products perform.