Industry View

Centralizing Enterprise Security Operations and Management

Jeff Ahlerich of Looking Glass Systems looks at transcending the politics

By Jeff Ahlerich, Looking Glass Systems

Page 4

The principle idea behind centralized Security Operations is to put in position a group of able specialists to respond nimbly upon aggregated and correlated event data that is spawned by an accurate, well-tuned detection infrastructure. While a good deal of technology exists to allow for such centralization programs to be as effective as advertised, more times than not it's the people and politics that become the bottlenecks. Whether they are openly and vocally opposed to the concept, or more passive aggressive by nature - distributed, localized IT Administrators, and even NOC and Desktop Support organizations commonly go into protection mode when faced with the prospect of a centralized security initiative. A common feeling amongst these groups is that yielding to centralized security will either create more chaos for them, or that they'll get into trouble for doing something wrong as it relates to their legacy security measures. It's a combination of a classic resistance to change from the status quo, and a protectionist mindset. Warranted or not, it's 100% human nature.

Power to the Peopleâ¬¦and the Software!
It's not all bad news for centralization advocates who find their plans mired by difficult political circumstances. Solving the opposition problem is best accomplished when security management platforms at the center of the architecture design are
a) easy to adapt, integrate and deploy,
b) offer flexible and granular role-based access controls with audit trail facilities,
c) address not one or a small handful of specific security issues, but a more comprehensive security management lifecycle, and
d) is capable of automating human repeatable workflow processes. Let's examine each requirement in more detail.

Easy to adopt, integrate and deploy: The reality today is that the SOC Analyst talent pool is smaller than the market demand, and the turn over for such positions is quite high. As soon as the really talented individuals become proficient in their Security Analyst role, they are typically promoted out of operations and into the more lucrative and sought after security engineering or architect based positions. Due to the combination of budgetary constraints and talent pool limitations, it is not uncommon for SOC personnel, in even the most security conscious organizations, to be recruited straight from help desk / desktop support positions, or brought on from outside with little security operations experience. Because turn over is high, pay scales are low, and frankly, the skill set many SOC managers must settle for can be sub par, security management platforms need to be intuitively designed to the extent that an Operator / Analyst new to the role can sit down in front of his console and pick it up in hours / days with very little training vs. the weeks / months and intense training it typically takes to become adequately proficient with most of today's available solutions.