Hugh Njemanze, founder and CTO, ArcSight --

Traditional security monitoring strategies have focused on the “low-hanging fruit” of the perimeter.

Security analysts are comfortable talking about firewalls, VPNs, IPS and the like, because they generally fall under the control of the security and operations teams. But over time it has become clear that the scope of monitoring activity needs to expand and consider a broader range of threats.

Now, monitoring internal network devices, operating systems, databases and applications—the “higher-hanging fruit”—becomes strategic. When the strategy includes detecting threats from insider activities, the need for monitoring can expand to printers, desktops, identity management solutions and even physical security solutions.

However, this goes beyond simply monitoring a broader range of devices to paint a more complete picture of your organization’s security status and posture. Having that information is great, but the real payoff is the ability to use the captured data to enable an organization to make better business decisions.

Are our policies being followed? Are we compliant? Are we more secure today than yesterday? How does this help my business? These are all questions a comprehensive and scalable monitoring solution can help address.

Because the data being analyzed crosses many technical and political boundaries, the monitoring solution needs to integrate decision support systems, allowing groups such as security, operations, desktop support, application, telephony, HR, legal and management work together to address suspicious or malicious activity.

Security is no longer just an IT issue; it impacts the entire business so decisions can’t be made in a vacuum. Having solid policies and processes in place around incident detection, notification, escalation and response will allow security to be more tightly integrated with the organization’s mission.

So now you’re collecting the data and you have a strong decision support system; it is time for security to provide not just qualitative but quantitative results.

In the past, it has been hard to define ROI when discussing security, but that’s changed. Mature monitoring solutions should yield tangible results such as:
• Decreased response time for incident detection and resolution
• Reduced number of employees who are required to do analysis (i.e., let your security engineers focus on more strategic objectives – not sifting through logs)
• Reduced training costs because monitoring is being leveraged from a central point
• Greater employee retention – because your security engineers aren’t burned out by “syslog madness”
• Security as a business differentiator – more companies are advertising their commitment to security, and even more importantly, their implementation of effective programs as a way to retain or generate more business

While it may start with capturing data feeds, a robust-security monitoring solution can provide multiple paths to business optimization far beyond those commonly associated with security and compliance. The net benefit is that it allows you to know more about what’s going on inside your organization and make more efficient, effective and informed business decisions.

Who ever knew logs could be so valuable?