It is truly unfortunate how many fall into the former category. But the problem with IT security is that it’s an ever-evolving and moving target. So the decision to not dip your toe in the water and understand all available options could mean the difference between a panicked 3am call regarding a breach alert or a good night’s sleep.
I realize this is an over generalization, and oftentimes the decision to “stay the course” is not in the hands of IT. There are budget concerns. There are personnel limitations. There are higher perceived priorities. There are complex layers of interdepartmental decision making. So, if it ain’t broke, don’t fix it…right?
As an IT professional myself, I realize how inundated your inbox and voice mail becomes with messages; cloud-this, virtual-that, next generation so & so…but why rock the boat, everything is working…AS FAR AS YOU KNOW.
There’s the old adage, if you don’t know what you don’t know then you can’t possibly be prepared. Additionally there are organizations that simply act like ostriches. They put their head in the sand, so therefore nothing bad can happen. Or then there’s the old chestnut, “well, we’ve never been breached/hacked/attacked before, so there is no need to change.” These are people who don’t know what they don’t know…or don’t want to know because it will force a change of the status quo.
For them, here’s a true story.
Once upon a time there was (and still is!) a large retail and design firm worth about 3/4s of a billion dollars. They were very vigilant with their security. At least they thought so. They had solid on-premise tools and had dedicated security resources. Problem was, with the lingering effects of the recession, budgets got squeezed and resources became scarcer. And looking at cost centers, IT security had a target on its back. This prompted the IT team to investigate alternative ways to drive down costs, but still maintain the level of readiness and watchfulness.
They examined a variety of alternatives and did significant due diligence. They found that by moving their SIEM and Log Management functions to the cloud, they would remove considerable capital expenditures and related costs. For practically the same cost they were paying for on premise solution support and maintenance, they could incorporate a cloud-managed enterprise-class solution to manage their network defenses. But this isn’t an economic parable.
Working in conjunction with the new cloud-based security experts, the folks at this retail organization recreated many of the rules, alerts, and escalations against a variety of servers and endpoints currently being monitored on the on-premise system. For the first month or so, they wanted systems to be redundant–just to ensure the new cloud-managed SIEM and Log management were catching all the activity and traffic required to help protect the IP and help the organization comply with PCI and SOX.
Ten days into the project, the phone rang. The cloud security analyst wanted to inform the company that some unusual anomalies were detected on an internal server. It was initially diagnosed as a false positive, but the cloud analyst insisted that when correlated with other data from other servers, the intrusion was probably more than just a harmless blip.
The company reviewed its on-premise logs and could not verify the same problem. At this point the analyst was able to provide the precise server and trace the issue to a specific laptop. It was there they found the unauthorized download of what seemed to be a harmless email application, but had also nested some nasty botnets and malware. Acting quickly, they were able to quarantine the problem and diffuse the issue before a breach could occur.
But the story is not so much about cloud security saving the day, but rather how a new way of thinking and analyzing shined a light on inefficiencies, unexplored vulnerabilities and process breakdowns. It provided updated knowledge on how their users and customers were accessing and using their network resources.
Again, the moral of the story is not that cloud security is superior to all other security implementations, but rather if you don’t know what you don’t know, you can’t make the necessary adjustments to create new best practices and, in short, do the job better and more efficiently. However, whereas cloud-based security may not be better than other enterprise deployments, it IS more accessible to companies that aren’t listed on the Fortune 500. Therefore, if it is AS GOOD as a brand name enterprise tool, it would be considerably more effective than most initiatives deployed by the smaller and more moderately financed enterprises.
It allows these companies to know what they don’t know. It allows them to cast a wider net around their IT assets and better understand who is access what data and when. It allows them to monitor, in real time, all the events that are hitting every quarter of their IT infrastructure and make informed determinations based on situational context. Instead of phased, limited or partially deployed security initiatives, companies benefit from a fully-powered, industrial-strength solution ready on Day 1. To further mix metaphors, think of it as an experienced geologist looking for oil. Generally, he knows what areas likely contain oil reserves. Additionally he knows what crude looks like. Problem is, all he has is a trowel with which to search. So if the oil is not bubbling up to the top, it will go unnoticed and untapped. The geologist needs radar penetrating technology. He needs the means to reach the reserve; to understand and document the different strata of earth, detritus and bedrock. He needs a way to determine where the most advantageous position on the field for maximum yield lies. Without it, he’s bound to miss something.
But first, he has to know what he doesn’t know.
Tags: BYOD, chief technology officer, Cloud, cloud computing, cloud security, CloudAccess, compliance, enterprise-it, hacker, intrusion detection, IT security, Log Management, malware, network perimeter, Security, security-as-a-service, SIEM, technology