What is Orchestration?

Orchestration is a system of autonomic actions.  A common example of orchestration is immediately responding to an event by blocking the offending address at the the firewall.  This example makes orchestration appear no more than integration. Orchestration is different, as it focuses on the process being independent of a person, a reaction of the system. 

Orchestration’s value resides in:

  • Autonomic, not automated
  • Finding trigger events
  • Scalability and Vigilance

Read more

Is the issue security or network, and does it matter?

When there is a connectivity issue, the security staff is often the first people contacted. The general thought for a bad connection is, “It must be the firewall that’s blocking the connection.” However, after spending a day tracing the connection and evaluating the network, it is equally likely to be a networking issue. This begs the question—does it matter that security often has to deal with network issues, or vice versa? The specific type of issue is often unknown until it’s resolved. For the user the primary emphasis is on someone resolving it, and not specifically who the correct contact for resolving it is. Aligning staff to address this common issue makes the most sense. Read more

Kill The Checkbox

One thing is obvious about Internet security: We really suck at it. If this was a twelve-step program, we would be in denial. It doesn’t take hindsight to see the failures coming.  This cycle-of-failure is cultural. It falls on leadership to change that culture.   

People are trying to make good decisions. Nobody wakes up in the morning with the objective of making bad decisions, yet we do.  When groups of people continue to fail, there is often a more rudimentary issue than incompetence. 

Read more

The Fault in Our Logs

“The fault, dear Brutus, is not in our logs, But in ourselves, that we are admins.”

Could the processes of network log management be hurting security operation centers that leverage centralized security?  It would seem that collecting events and responding to alerts would be straight forward.   The organizational failure to respond to alerts is squarely blamed on the organization and its personnel.  Consider the Target breach, where both Symantec antivirus and FireEye alerted on a malicious file, yet nothing was done.  This pattern of known issues, and a failed responses repeats itself.  Why is there a constant issue with companies failing to respond to events?

Clearly it is not an issue of detection as it is a problem of response.  The idea that if there was an alert, therefore there should be a response is ingrained in how networks are operated.  Security is not so simple.  The primary reason for the failures in responding is that the amount of effort it takes to validate each alert and respond correctly is too great given the current tools.  Validation and response requires additional information and there are thousands of alerts a day.  The collection of additional information and numerous actions related to a single alert takes effort.  This effort is unaccounted for both in the budget and in the response process.  The result is a failure to act. Read more