infoTECH Feature

December 17, 2015

Not All Security Intelligence and Analytics Platforms are the Same

By Special Guest
Tom Kelly, CEO, AccelOps

Today’s dynamic, data-driven businesses have never been more at risk for security breaches and potential for network performance impacts.  With digital transformation in full swing, the pace of change is only accelerating, and an organization’s ability to make the right decisions on solutions that provide a holistic, real-time view of the network is becoming more critical than ever. Here’s why:

  • Organizations are challenged with a wide diversity of data sources.
  • The need for scalability and an integrated view of networks, systems, applications and virtualized environments is not possible with legacy tools.
  • Network and security ops personnel must have the ability to view and share data from multiple network environments to quickly identify root causes of threats.
  • New government regulations and recent high profile breaches are bringing security conversations into the boardrooms of corporations from around the world.

With these challenges in mind, network security and operations professionals are quickly discovering they not only need to report to the corporate CISO or CSO; they may in fact find themselves standing in front of the CEO, or worse, answering to the board of directors to explain how they are protecting critical corporate resources and insuring compliance standards are being met.

The increasing channels of engagement and communications such as social, mobile, local and cloud applications within the enterprise has increased IT operational challenges, to say the least. Other trends such as the Internet of Things (IoT) and managing suppliers, remote users and highly diversified platforms are adding new dimensions to IT security challenges. So, how do you bring disparate network operations center (NOC (News - Alert)) and security operations center (SOC) data and analytics together before security vulnerabilities have them pointing fingers at each other – and only after a breach has occurred?

The Crucial Drivers for the Convergence (News - Alert) of NOC/SOC

From the boardroom to the IT professional, it is clear that having a combined network operations and security data center view is table stakes for today’s increasingly vulnerable organizations. However, in many organizations, there are at least two separate teams of networking professionals overseeing different parts of the network, reporting to different department heads and working with different tool sets that don’t integrate the data being collected. While this siloed model worked in the network environments of yesterday (those networks that were never touched or couldn’t be touched by outside influences), today’s fast-paced, data-driven, mobile-first network environments demand tools that provide more agility and deeper visibility into network activity.

As a result, this separation of responsibilities adds to the complexity and slow discovery of security vulnerabilities. These vulnerabilities are frequently exposed and managed only after a breach has occurred and damage to the organization has already been done. Investigations of the network weak points require gathering “all IT hands on deck,” with the security operations teams bringing in their sources of data and IT operations bringing in theirs, requiring both teams to manually correlate historical events to discover the source(s) of the breach. With shrinking budgets stretching IT assets and a growing sense of exposure and accountability, it has become more critical than ever to identify and implement solutions that will satisfy the needs of both entities and their chain of command with tools that can more rapidly identify threats through the cross- correlation of data and analytics from both departments.

Redefining Security Information and Event Management (SIEM)

Since Mark Nicolett and Amrit Williams of Gartner (News - Alert) coined the phrase Security Information and Event Management (SIEM) in 2005, software and hardware companies have been diligently defining and refining solutions to meet and stay ahead of network challenges as they continue to morph and change.

While SIEM solutions were originally designed to provide real-time analysis of security alerts that are generated by network hardware and applications, the emergence of the Cloud, the Internet of Things (IoT) and Big Data have tasked NOC and SOC professionals with monitoring and reporting a growing number of activities.

Like a juggler challenged with keeping an ever-growing number of balls in the air, IT operations and security personnel must stay on top of the latest regulatory requirements to keep their organization in compliance, pay attention to any number of alerts across a spectrum of operating systems, monitor and identify devices in virtual and on-premises environments, and understand the nature and implications of tens of thousands of known and increasingly unknown devices pinging their network at any given moment.

While there are a wide variety of choices in the market today, the industry has become saturated with products that are as disparate as the divide between NOC and SOC departments. What should organizations be looking for in a solution? What are the pitfalls they should be aware of? How can they be sure they have selected a solution that will provide them with the holy grail of unifying analytics, accelerating time to discovery of threats and the abilty to quickly respond? And all that while automating and integrating their regulatory compliance reporting data?

Don’t Get Caught Unaware

One of IT’s greatest fears is to purchase a solution, install the product and take the time to train staff, only to find that the solution is difficult for their staff to use or doesn’t easily scale as the needs of the organization change.

Below are five “must have” elements organizations should look for when implementing a SIEM solution that bridges both network and security operations needs and requirements:

  • The “Single Pane of Glass” perspective – Unified network analytics platforms should integrate and cross-correlate data that has historically been managed in separate departments—NOC and SOC — to bring together a comprehensive, holistic organizational or “single-pane-of-glass” view of the network. Ideally, the solution should provide pre-defined reports for common monitoring and compliance needs, along with easily customizable reports for unique needs.
  • Real-time correlation of security and network threats – By providing teams with a real-time view of the organization’s network infrastructure and cross-correlating data from device and event details, organizations can be empowered with the insights they need to quickly react to cybersecurity and network performance threats.
  • Automated device discovery engine – Identify solutions that are able to incorporate a Configuration Management Database (CMDB) to map their current network topology, including servers, devices, storage, networks, mobile, security, applications and users, and their interdependencies. The CMDB tool should also provide the ability to self-learn in real time any changes that occur to that CMDB environment. In doing so, teams will gain the ability to discover, identify and establish alerts from changes that may be posing threats to the organization’s compliance or performance needs.
  • Sharing security breach data – Find solutions that can provide the capability to aggregate, validate and share anonymous threat data, in real time, for rapid awareness to an ever-growing threat landscape.
  • Multi-tenant architecture – Today’s corporate network environments can span multiple national and international locations. In addition to an organization’s need to have a macro view of their overall network infrastructure, they also need the ability to partition and define unique physical and logical network elements into micro-view reporting domains (“tenants”) for greater granularity in their management of the unique requirements in those domains. For example, an organization might want to create a unique “tenant” associated with the network elements in their “e-commerce” infrastructure for the purpose of monitoring, managing and reporting on PCI (News - Alert) compliance conformance standards, specific to that environment. They should seek a tool that allows them to easily select any relevant network elements found in their CMDB in defining and customizing those domains to their specific needs. Managed Service Providers (MSPs) also have need to manage their own internal infrastructure, as well as the ability to carve out unique domains for their respective end-user customers. In either case, it is imperative that you implement a solution that provides the capability to view multiple tenant or client networks with real-time analytics in order to stay ahead of emerging threats and meet compliance needs.

The Networking Silo is Dead

There are almost daily announcements of high-profile breaches happening to the most respected institutions, across all industries, and the corresponding negative impacts those breaches have had on organizational revenues, brand reputation and customer experience—not to mention the potential for organizational leaders facing actual jail time. C-levels can no longer rely on the age-old idea that their network is optimally managed and protected by NOC and SOC teams working independently – the old siloed approach is dead.  MSPs have already discovered how critical it is to correlate analytics from both the SOC and NOC, in meeting today’s challenges, and many of them have built business models offering services that do just that. Today’s uncertain environment is not just an IT, CIO or CISO problem; it is impacting every employee and every C-Level and being felt all the way up to the board of directors.

Zero-day threats and the sources of those threats are becoming increasingly more diverse and sophisticated. Coupled with the unknown risks that the “Internet of Things” (IoT) may pose requires tools that can more efficiently correlate data and analytics from multiple sources in the network to more rapidly identify and remediate threats. Post- breach analysis is no longer an option. Proactive, real-time network analytics tools are crucial to both the short- and long-term viability of these organizations.

Security is no longer just about protecting information – it is critical to maintaining business application and employee efficiencies. It is also critical in maintaining trust with customers and building an organization's brand and reputation. As we move into the holiday season, the news of record volumes in online and mobile purchases underscores the critical nature of network performance and the associated security requirements that are growing with that trend. Additionally, the highly publicized breaches of 2015 are now behind us but have all provided lessons and warnings to all organizations. Breaking down the barriers between the NOC and SOC, currently preventing organizations from rapid identification and remediation of threats, must take the highest priority, as failure to do so puts all other strategic initiatives at risk. The organizations that take those steps and develop a clear security, performance and compliance strategy that enables them to cross-correlate NOC and SOC analytics in real time will be the ones that come out on top in 2016 and beyond.

About the Author: Tom Kelly is a technology industry veteran having led companies through founding, growth, IPO and strategic acquisition.  He has served as a CEO, COO or CFO at Cadence Design Systems (News - Alert), Frame Technology, Cirrus Logic, Epicor Software and Blaze Software.  Tom led successful turnarounds at Bluestar Solutions, MonteVista Software and Moxie Software, having served as CEO in repositioning and rebranding the companies in advance of their new growth. He serves on the Boards of Directors of FEI, Fabrinet, and ReadyPulse.  Tom is a graduate of Santa Clara University where he is member of the University’s Board of Regents.   




Edited by Maurice Nagle
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers