Step 3: Paint with Better Brushes
Now that we have covered some of the core issues, it is time to flush out the details. The only real way to do this is to read, and not just a little. Information is your friend here. No technology, product, solution, or approach can totally replace an informed professional with security knowledge. This is why most products focus on finding threats and alerting the operator. This is also where the dollars vs hours balance is focused. The more you understand about the threats to your network, the better you can not only manage the threats but also select the tools with which to do so. It is CRITICAL that you do not underestimate the importance of this step.
The practice of threat intelligence is one which literally has a library of books available on the subject. There are also a number of resources on the Internet to help someone wanting to learn. Let's look at some of them:
Introductions - Getting started is always the hardest part. If you are unaware of which way to head, or do not have a basic understanding already, it can be difficult to get a good start. I strongly recommend going with an unbiased source for your start. I personally recommend getting started by learning the basics from someone who does not want to sell you something. I know, this is an odd comment to come from a company blog, but it IS the best way to get a straight line on the basics. Besides, we can sell you something later when you have a better picture of what you need. 😉 Here are three interesting starting resources:
- Sans Institute, and the internet storm center
- The US computer emergency response team
- The University press centers - Spend a lot of time on the various university sites. They offer a TON of theory and information on leading issues.
Blogs - Most security vendors on the market maintain blogs, white papers, and technical overviews and alerts. The IT security industry uses these resources as marketing, which makes it a good place to look for fact-checked data on trends and threats. I'll toot my own horn, so to speak, here by pointing out that Alienvault has an excellent example of this service here, and you can subscribe to the blog.
Social Media - Like blogs, most of the security companies are pushing to keep you informed. Subscribing to blogs, Twitter, LinkedIn or other feeds is a good way to get a constant feed of information about security.
Books - As I said, if you want theory, there are entire libraries written on the subjects enveloping security. I recommend, however, waiting until you have some base knowledge before you spend too much on books. A lot of writers produce fluff work, and even the well written material is expensive due to lower printing volume. If you wait until to have a better base knowledge, you can select titles that cover the specific material you want better.
One of the most costly problems with security is with regard to log management. IT staff including admins, analysts, engineers, and technicians are always short on time. Since a considerable portion of management risk involves managing and reviewing log data, it stands to reason that we can save considerable amount of time by moving these logs to a central location and possibly normalizing them for easier analysis. Centralizing logs is the first big step, as this gives a single point with which to analyze and compare logs. We also need to gather network data to monitor bandwidth and traffic for suspicious changes.
There are several factors of security and threat intelligence that need to be considered, and a Security Information and Event Management (SIEM) is a central part in the puzzle, as it will handle much of this for you, normalizing and processing a wide section of your security logs and data and correlating this data to look for advanced threats, but at what cost? This depends on what you need to accomplish, but the answer may be less obvious than you at first think.
Keep in mind that a full featured security solution will handle Asset Discovery, Availability Monitoring, Log Normalization, HIDS, Network IDS/Traffic analysis, and Vulnerability Scans. It should also simultaneously running real-time event correlation against all of this source data to look for threats that may be missed from one single source. When you compare this to the time required to manually correlate the data and with the resources required by separate systems to collect all of it, the costs and the resource requirements are considerably lower than you would actually expect, and could be FAR cheaper than the cost of doing this manually.
A Policy of Processes
We now have a complete picture of what to do, so it's time to start the implementation! This is both the easiest, and the hardest part. As we enact the plan you came up with above, we need to make the steps an integral part of the IT lifecycle process moving forward. This process will progressively ease the workload in the future. IT will also start to integrate the new security methods into everyone's work. Always keep in mind, however, that security is not a destination, but a process. It is necessary to continually review what you have done and adjust as systems develop, and as new methods of infiltration are discovered or developed.