Making sense of your logs
ViJay Viswanathan CISO, HD Supply
As organizations continue to embrace cloud, mobility and agility-driven business models, formerly well-defined network boundaries evolve into virtual bridge and termination points. So, is it sufficient to continue with the traditional log-aggregation model that drives security information and event management (SIEM)?
It's clear that efficient solutions are required that are not only agile and easy to implement, but act as a compelling ROI barometer for security leaders who tend to operate with shoestring budgets.
While some pros are still mired in a reactive approach that always has the security teams playing catch-up, it's a more stealthy approach to be proactive so as to catch the likelihood of a threat that's around the corner. In other words, you want a strategy that provides intelligence.
Organizations today have a master data model to drive efficiencies in system design. How about a similar approach for the enterprise security program? Let's consider a security model that has tools in place for infrastructure and network security, incident management, identity and access management, application and data security, and compliance. The associated tools produce a plethora of valuable logs during normal and active threat activity. With the assumption that we have our high-value targets identified by the security master data model, we can start visualizing the one-dimensional logs and – with enriching analytics – observe as they take shape into multidimensional security intelligence.
Leveraging a distributed computer platform, like Hadoop, and an analytics platform, like IKANOW, the data sources from different tools can be enriched to produce compelling intelligence that can easily become a decision platform for security leaders. Further, integration with an existing or other open source business intelligence platform can produce visually powerful and actionable security intelligence. This is not only practical for organizations of all sizes, but it encourages security professionals to evolve into critical business leaders. The entire setup can be built in the cloud to gradually scale the platform to do more as the business continues to push the boundaries.
So, can an approach combining log management and Big Data yield significant results? Absolutely. In fact, most organizations could evolve in this manner. These organizations may find it beneficial to look at developing a security intelligence platform as a multi-generation initiative. A good baseline to demonstrate the maturity of one's security program is to revisit the enterprise security roadmap and introduce a security intelligence platform as a possible top-level milestone. This drives focus when evolving each of the security services resulting in a comprehensive view of things that matter the most.
Photo by Chris Volpe/zuma