The Security Kitchen

On the last Risky Business podcast it was mentioned that companies would be able to reduce costs by enabling little known or previously unused features in their infrastructure, mostly focusing on IDS/IPS, AV, Webfiltering and other features in perimeter appliances.

This is an interesting idea but let’s take a step back.

From a business POV, I’d love to sell additional features but chances are that my customers do not have the manpower to manage those. The features mentioned are not as fire-and-forget types of things. First off, they will change the end-user experience, possibly hindering people in doing their jobs. But they will also generate tons of logs, which need to be analyzed and acted upon. You see, it’s not as easy as “enable the feature and be more secure”.

For me, there is one things you can focus on right now which can improve the security of your company and it won’t cost you a dime to kickstart it. Once you are clear about what you want/need to see and how you want to see it, you will also know which vendors to talk to, to build a cost-effective system.

Logging !

There is thousands of log messages to be captured every day.
All your appliances, switches, servers, even clients are generating messages every second. If you haven’t done anything to listen to what they are saying, START NOW !
Build a system that enables you to centralize logging for your infrastructure. Maybe you won’t be looking at it all day, every day, but make sure that it is there. Consider tools like Splunk , it’s free for the first 500MB of daily logging and it supports a lot of formats. It also allows you to drill down, correlate and report on events.

Reports require good metrics, consider buying ‘Security Metrics’ by Andrew Jacquith. Choosing the right metrics is paramount to effective systems management, Andrew does a fantastic job in teaching us how to choose them.

A last resource that I want to suggest regarding this subject is the wonderful site www.secviz.org, and another wonderful book by Raffael Marty called ‘Applied Security Vizualisation’.
It is one thing to collect logs and go through them manually, visualizing them using one of the dozens of methods Raffy explains in this book might prove invaluable for your company ! Remember that 70% of people are considered to be visual, understanding things better and easier through graphics than in plain text.

Another thing you might want to focus on is your security policy. You know, the thick stack of paper that gathers dust or keeps your desk level. Review it, rip it apart, reconstruct it. Make it a flexible framework of documents that support your security programme, instead of leaving it in it’s 2×4 function that it serves right now. Make security work for the people and the business.