Enterprise Security And The Elusive
By Andre' Allen, CISO, City of Houston
Much has been said about achieving the “single pane of glass” for enterprise security that will enable one to peer into the multitude of activities (malicious or otherwise) happening in real-time within today’s complex computer networks. Many security vendors proclaim loudly that their security products provide a “single pane of glass.” That is to say, that single dashboard display that will show you everything that is happening in your network and alert you to trends that indicate that you may have a security problem. But does the “single pane of glass” for enterprise security truly exist today or is it, in fact, elusive?
The ideal “single pane of glass” would consist of a scalable analytics platform that provides compliance, information security, and forensics and incident investigation support. This analytics platform would seamlessly integrate with existing network/security components that provide the following:
Data Loss Prevention (DLP), Intrusion Detection System (IDS)/Intrusion Prevention System (IPS), Firewalls, Switches/Routers, Web Application Filter (WAF), Identity and Access Management (IAM), End Point Security (including malware prevention), Deep Packet Inspection (DPI) and Forensics, Desktop and Server Logs, Governance, Risk and Compliance (GRC), Service Management, Vulnerability Scans, and a Configuration Management Database (CMDB).
The analytics platform would have intelligence technology built in at each interface to not only collect data from each component, but also to provide analytics capability to provide Log & Event Analysis and Log & Event Correlation. The analytics platform would also have interfaces to Security Operating Center (SOC) and Network Operating Center (NOC) Dashboards, as well as, to Situational Awareness and Threat Intelligence sources. Finally, it would provide a rich reporting capability and dynamic dashboards that present correlated data and comprehensive views.
Let’s return to the question raised at the onset: does the “single pane of glass” truly exist today or is it, in fact, elusive? I contend that the “single pane of glass” does not exist today and it is elusive. However, there is a lot of promise on the horizon. The competitive security tool market has generated much movement in this regard. Progress is being made towards achieving the “single pane of glass.”
Security tool vendors are becoming more aware of the need to (and are more willing to) leverage the Open API new technology. Open API new technology promotes the idea of different vendors establishing application programming interfaces that allow one product to seamlessly interface with another product, at the application layer, with minimum development and integration effort required. This affords the opportunity for the customer to leverage the best capabilities of differing vendor solutions without having to make what can sometimes be a large investment in software customization and integration testing. Based on my experience, I believe that it will be very difficult for a single security vendor solution to provide both the analytical and the automated processes needed to satisfy the visibility requirements of enterprise security. However, security vendors that adopt the Open API new technology concept will help the enterprise security community to go a long way towards achieving the elusive “single pane of glass.”
It is also recognized that many of the large enterprise security solution providers are attempting to achieve the “single pane of glass” without adopting the Open API new technology concept. They are attempting to achieve this by various mergers and acquisitions of smaller security tool vendors that offer additional functionality that did not exist in their current enterprise security tool suite. This trend would likely render the open application programming interfaces (which may have previously existed before the security tool vendor was acquired) as proprietary. The current trend in security tool vendor acquisitions may result in some success in achieving the “single pane of glass.” However, it is the opinion of the author that this approach may limit the creativeness that generally comes with a “lean and mean,” focused small security tool vendor that is needed in the dynamic enterprise security environment that currently exists.
In conclusion, it appears that the “single pane of glass” for enterprise security does not currently exist today. However, I believe that a “multi-paned window” for enterprise security does exist. This “multi-paned window” is comprised of multiple vendor solutions that adopt the Open API new technology. The collaboration of multiple vendors to achieve a common goal (to provide integrated capability and visibility for enterprise security objectives) has led to a window of opportunity. This creates an opportunity to be able to analyze information from disparate sources and, to put it simply, make some sense out of it. The “multi-paned window” would potentially utilize the “single pane of glass” of a Governance, Risk and Compliance (GRC) tool, the “single pane of glass” of a Security Event and Incident Management (SEIM) tool, and the “single pane of glass” of an analytics platform, to form the “multi-paned window” for enterprise security. This “multi-paned window” would provide an integrated view of system events/processes and the resultant effect on established security policies, plans, and procedures. The “multi-paned window” is not a “single pane of glass” for enterprise security, but it is nonetheless a “window,” providing the much needed visibility into the enterprise security space.