Recently, our head of product, Amir Halfon, discussed what monitoring means in a continuous delivery, devops focused world. We're starting to see organizations take a similar approach to security. The (relatively) new philosophy is that all IT environments are already breached or easily breachable.
The New Security Philosophy
It is impossible to follow the news without hearing of yet another security breach. Whether it’s credit card numbers, personal information, or state secrets, the digitization and centralization of nearly all information has irrevocably changed the economics of cybersecurity. The dynamics of a near zero chance of getting caught, the ever growing value and volume of the data, and the widening gap in the arms race between exploit software and prevention/detection/remediation tools, are such that the economics of black hat hacking have become a no brainer.
Given these new incentives to hack, the law of large numbers then assures that a meaningful sample, if not a majority, of enterprises are already breached or could be with minimal effort and time. This means that the approach we're used to of assuming that internal networks and infrastructure are pristine and placing nearly all investment on intrusion detection and prevention no longer works. Perimeter-only is the cyber security equivalent of burying your head in the sand. Even if intrusion detection and prevention manages to stop 99.999% of attacks, the asymmetric nature of the risk means that the 1 success in 100,000 still has the potential to be an existential threat to your business.
A New Approach to Security
So what can be done? First, it's necessary to perform an intellectually honest audit and catalog of both your information assets and infrastructure. From this you should be able to derive an idea of the level of investment necessary to protect your data.
In order to protect these assets, an organization needs to add these programs to existing perimeter based security measures:
- Robust user education and authentication policies
- High fidelity, full stack monitoring of all IT infrastructure
- Point solutions for Data Loss Protection and known Cyberthreats
We are not suggesting that you remove the more traditional perimeter security tools like firewalls and IDS. Those tools are generally designed to stop known security threats or identifiable attack patterns. New perimeter technologies are able to detect zero day threats as well. Instead, use the output of their logs and other metrics are one of many signals to put into a monitoring system, along with wire data, machine data, metrics or agent data, and user generated or synthetic data.
(credit to ExtraHop for a fantastic definition of these terms: http://www.extrahop.com/post/blog/the-four-data-sets-essential-for-it-operations-analytics-itoa/)
The Role of Security Monitoring
Rocana software aids in the second of the three programs: full stack monitoring. Out of the the box, Rocana monitors all machine data, a virtually infinite number of metrics and derived metrics and overlays synthetic data, all in real time from your IT infrastructure and applications. It does so at a reasonable, predictable cost on an open platform. Rocana also feeds enriched data into point solutions.
So instead of this:
you get this:
Unfortunately, up until now, due to either price constraints or technology constraints, organizations have been forced to silo these different data types off into separate point solutions. Beyond a few days or weeks, the data is relegated to tape. What this means in practice is that finding correlations of interesting metrics within these datasets, security related or not, at best happens as a batch job, but more realistically doesn’t happen at all, because the signals have already been archived.
To learn more about how Rocana offers an alternative approach that allows you to not only monitor all four of those data types in a single platform, but also the flexibility to continue to leverage existing investments in the next installment: Rocana's Approach to Operational Awareness - Part II.