Field Notes and Research

Event vs. State Driven Security

1 Comment 16 May 2008

Why is it that the majority of attention in the security market has been focused around event data? Isn’t it better to know where you stand before the bad thing happens? If memory serves me correctly, this was the entire point behind vulnerability management (and to a lesser degree, patch management).

Now, it seems, the compliance marketing engine has focused on the collection and analysis of events. Security events. OS events. If you read Dimitri McKay’s views, you might think ALL events. I’m sure the folks at all the other log collection companies all think so. And they all wave the same banner…PCI. Feh! While it might be a requirement, it is barely more than a checkbox.

Quite frankly, the tools and the staff running them just don’t have the horsepower or the sophistication (and in many cases the inclination) to build rulesets and perform analysis at a depth and breadth that adds any measure of preventive medicine to the situation. Sure, you can do a root cause analysis based on a series of events and then reconfigure your processes and such so that you minimize it ever happening again, but very few of us have ever seen this actually happen. When something bad goes down, bringing the systems back up and restoring order trumps figuring out how it actually happened in the first place.

You see, I think that state is just as important, if not more so than events. For starters, state-based decisions can be made in advance of the threat, whereas event-based decisions are often made in the heat of the moment. Also, state-based analysis can actually improve security ahead of the threat by allowing management to make rational decisions on where and how to deploy resources to plug known vulnerabilities and deficiencies. Event-based decision making is all about restoring to a known good (enough) state as quickly as possible and hoping like hell you don’t have to pull another all-nighter.

So, when do I get my correlation engine for state so I can start making decisions that improve security (and ultimately compliance) instead of reacting to every bell and whistle that have been shoved down my throat for the past eight years?

Be Sociable, Share!

No related articles.

«
»

Your Comments

1 comment


Share your view

Post a comment

Twitterstream

© 2008 Brightfly, Inc.

Powered by You, the Community.