One of the truly unfair things about information security is that the scope of risk doesn’t scale downward with the size of the organization. A large global enterprise has to deal with all sorts of potential threats: APTs, phishing, malware incursion, insider threats, compliance mandates, and more. Unfortunately, the small enterprise or middle-market business must deal with the exact same issues, regardless of the fact that they have limited resources compared to those of the behemoth global players against which they compete every day.
Visibility, of course, is the hallmark of a good security program. Large enterprises buy a plethora of security technologies with complex acronyms and high price tags: SIEM, DLP, DAM, IDS, IPS, AV, VA, and more. For the middle market market customer, spending mid-six or even seven figures on a collection of security tools — not to mention the double to triple multiple of the product price on professional services to get it all working and presenting a cogent view of security posture — is a fiscal impossibility. While it’s certainly possible to outsource some security functions to achieve cost efficiency and more quickly address a “checkbox” approach to compliance, this does little in the way of providing the limited security personnel in the midmarket enterprise with an understanding of their full threat landscape. Even the most efficient managed security service provider (MSSP) is usually limited to the perimeter of the network and perhaps some key internal network assets.
Gaining visibility across the security spectrum is actually a pretty complex process: It involves capturing, correlating, and analyzing multiple types of data — events, system state, network traffic, performance metrics, and more — across multiple layers of IT, including networks, computers, applications, databases, and even users. From a practical perspective, this is difficult to do because there is no “all-encompassing” single technology that provides this kind of visibility. The only way to get it is to utilize multiple tools and hope that there’s some way to get them all communicating with each other so that they can be managed from a single interface; otherwise, there just aren’t enough hours in the day for the typical security team, especially in a midsize organization.
Unfortunately, this “multiple tool” approach has two problems. First, it leaves critical gaps in data. If you’re not collecting a certain type of security data — say, unauthorized changes to the configuration of a critical system — then you’re lacking visibility into potential attack vectors that can bring down your systems and compromise your data. The same goes if you’re ignoring security data for a particular layer of IT infrastructure, such as applications or databases. The second problem is that, even if you are collecting all the right data from all the right infrastructure, you’re using multiple tools to do it — and these technologies don’t communicate with each other, leaving you with a substantial number of false positives. For a midsize enterprise, there are simply not enough personnel to address the problem. The de facto way to handle this information overload simply becomes leaving much of the security data unanalyzed or (even worse) acknowledged in some security console, never to be actually researched — and that is not information security.
So, what’s a small shop of about five or fewer security professionals to do, when they’re charged with preserving the assets and brand of a multimillion-dollar company? Fortunately, there are some relatively recent advances in security technologies that can make the life of a midmarket security pro a lot easier. Perhaps the most effective way for midmarket organizations to address this problem is to buy security technologies that offer greater bang-for-the-buck by combining multiple security capabilities that normally require different products into a single solution.
Assuming that basic security technologies are already in place, the next step for most security organizations to gain visibility is to implement a log management or security information and event management (SIEM) tool. Historically, however, log management and SIEM have been focused entirely on event-based information, with no facility for collecting or understanding other types of security data. Fortunately, this is changing. Many SIEM vendors’ products are “converging” into what they were supposed to be 10 years ago: centralized consoles to monitor and report on security and compliance posture in near–real time. Many vendors are now capturing other types of important security data out-of-box, including network traffic information, changes to system state, performance metrics, and more.
And log management and SIEM tools aren’t the only security technologies that are expanding the scope of what they do: A wide range of security device vendors are combining network-layer security management with application-layer services such as data leak prevention (DLP), network access control (NAC), and other security functions that have traditionally been delivered through completely different products. This convergence of security capabilities into “unified” platforms may be giving security industry analysts fits by eliminating the traditional security boxes into which they like to put vendors, but from the consumer’s perspective, this is a very positive development.
By leveraging a more limited set of tools that already consolidate, correlate, and pre-analyze enterprise security data, midmarket security professionals can do a reasonable job of detecting threats, minimizing false positives, and addressing the requirements of both security and compliance — just like the big guys, but without the big cost.
John Linkous is a security and compliance expert and technology advisor to CIOs, CTOs, and CISOs across the Fortune 500 and federal government as well as SMBs. As a Security Research Fellow with eIQnetworks, John delivers comprehensive analysis of the security monitoring space, including Security Information and Event Management (SIEM) and log management technologies to a broad range of companies in financial services, healthcare, global food service and aerospace industries.