If a tree falls in your network, does anybody hear?

When I started scribbling notes as to what to write about this week, my first thought was to address some of the claims that cloud wasn’t “ready for prime time,” by a some survey done by Wisegate. Everyone is entitled to an opinion, and those who wish to turn a blind eye to the maturation of the cloud do so at their own risk. Before I move on to the subject at hand, I will simply remind doubters that these same voices were shouting the same thing from the rooftops about SaaS 10 years ago. Now these same doubters incorporate many SaaS solutions into their architecture. It’s okay to be skeptical, and in terms of security, it’s necessary to be cautious. However, once you cut through the hype that the cloud is some kind of “silver bullet,” and the myopia of the status quo, you will see that the cloud is the latest step in the evolution of IT asset protection.

If you claim that the cloud is too risky, then one also must equally consider that adequate security of an existing on-premise network, or lack thereof, could also be a root cause. If lack of compliance is the issue, then do some more homework…compliance in the cloud is real. Again, not wishing to impose my obvious bias regarding the cloud on any doubter, but just like any product in any industry, you need to judge solutions on their independent merits. I am sure there are less-than-stellar cloud-based products, but to label the whole movement as risky is much like saying all cars are gas-guzzling rolling death traps or all online banking is playing financial Russian Roulette. What is it they say about babies and bath water???

Alright, I am stepping down from the soapbox to respond to another, less inflammatory, yet as business critical, article regarding the difficulty of separating log data from actionable events. The issue at hand is a network is pinged potentially millions of times a day. Most of it innocuous-the legitimate log on and off of employees, genuine transactions of data, etc… But what gets lost amidst all this “white noise,” are the red flags that indicate breaches or worse malicious activities.

It can be overwhelming. In fact, the article Struggling to Make Sense of Log Data, points out a study by the SANS Institute that the biggest critical concern for security is the ability to discern usable and actionable data from log files.

How Important is Collecting Logs?

I asked a top notch engineer developing in the cloud and he wryly quipped if a tree falls in the forest, does it make a sound? He added, just because you set intrusion detections software system to find malware and the like, you still require the human intelligence to review/interpret the logs and create the baseline of normalcy. So I said, that is the problem…there’s just so much to review. To which he reminded me about the concept of situational awareness. He posits the idea that a singular event might be seen as generally low-level and harmless, but when it is put into context and correlated against various rules and diverse enterprise silos, a very different picture emerges. For instance, your network logs an access attempt from Bangladesh. Is this normal? Do you have customers, suppliers and employees who originate there? If so, is it happening during regular business hours? Is it following “normal” traffic patterns? If so, are they using dormant passwords or bypassing any protocols? If so, is the accessible data through this breach?

The study author Jerry Shenk said, “Even when we look at the 22 percent of respondents who are using SIEM (security information and event management systems) for collecting logs and processing them, nearly the same percentage say it is difficult to prevent incidents and detect advanced threats.”

But the most disconcerting statistic is (according to the study): “With or without tools, many organizations don’t spend much time analyzing logs. 35% of respondents said their organizations allot no time to less than one day a week on log analysis. The smaller the organization, the less likely they would spend on log data analysis. Many companies recognize that SIEM is part of the answer, however 58% of the companies in the survey noted they are “not anywhere close to that level of automation.”

This alone is a perfect situation to incorporate security-as-a-service to help manage monitoring. Instead of once per week (if at all), monitoring occurs 7/24/365. Instead of catching just the most obvious threats, the automations combined with the sourced human analysis significantly shrink the vulnerability gap. Instead of looking at a singular network, it links, correlates, analyzes all the aspects of the enterprise. And cloud-based security does it at a fraction of the on-premise cost. The cloud allows organizations to expand their resources and therefore solidify its coverage.

Attacks, intrusions and abnormalities are issues aren’t solved by ostriches. Putting heads in the sand isn’t the answer. Neither is throwing your hands up saying so what can I do about it? And if you are one of those people who, at the top of this blog, consider the cloud too risky of a proposition, how much riskier is the status quo? To be effective, you need to have all the facts in order to formulate a stronger prevention plan. I can’t stress enough how important it is to understand regular traffic patterns in order to recognize when something requires greater attention or action. And to do that you need to review logs. However, with so many other priorities sometimes it is a considerable challenge to be proactive.

Trees will continue to fall in the forest. However, if you look down from the cloud, you are better attuned to hear it, and if necessary, act.

Kevin Nikkhoo

Tags: , , , , , , ,