Security Experts:

Collection, Sensing, and Alerting: Yesterday's News

Security has evolved to the point that I can now say that collection, sensing, and alerting are yesterday’s news. How can I make such a provocative statement? Wikipedia. Confused? That’s certainly understandable. I’ll explain.

Years ago, if we wanted to learn about a topic, we looked it up in the encyclopedia. Yes, I realize that some of my readers may be less familiar with this concept than others. Nonetheless, before most of us had access to the Internet, it required some effort to get information when we needed it.

Along came the Internet and suddenly information was everywhere and easily accessible. There was only one problem. Information was hidden in plain sight. True, it was everywhere and easily accessible, but it became harder than ever to organize and make sense of the information.

Therein lies the magic of Wikipedia. What makes Wikipedia great isn’t the information it contains -- that can be found anywhere. Rather, what makes Wikipedia great is that it organizes, warehouses, and indexes all of that information neatly, in a factually accurate manner, all in one place. That is, in essence, Wikipedia’s differentiator.

Let’s turn back to security to further examine this concept and its implications. In security, and more specifically in security operations, we have traditionally focused the overwhelming majority of our efforts on collection, sensing, and alerting. Many organizations spend a tremendous amount of time instrumenting their networks and endpoints, tuning rules and logic, and working to produce a reasonable volume of high fidelity, low noise alerting. Please don’t misunderstand my point here -- these are all extremely important things that are critical to the success of a security organization, as I have written about many times.

So what am I getting at? Collection, sensing, and alerting are only half of the story. We in the security field sometimes forget something that is extremely important. In fact, I consider it to be one of the most fundamental aspects of security operations. To understand what we’re forgetting, we need to step back and ask ourselves a few questions: Why? So what? What is the point?

Let’s expand these questions a bit further to better understand what I am hoping to highlight: Why have we spent so much time, money, and effort on collection, sensing, and alerting? What does it get us in the end? What end goal are we trying to achieve with all of this telemetry and alerting infrastructure?

To understand the answers to these questions, we have to go back to, you guessed it, the prioritized list of risks we are looking to mitigate as security practitioners. These will, of course, vary by organization. But there is one central theme that runs through each and every organization. At any point in time, I need to be able to quickly assess whether or not my organization has fallen victim to one or more of these risks. Or, to put it another way, I need to be able to make decisions. Not just any decisions, but informed, timely, and accurate decisions.

Conceptually this undertaking sounds easy enough. In practice, however, it turns out to be quite difficult, though perhaps not for the reasons you might expect. Whereas once it was difficult to obtain visibility and reliable telemetry data from the vast expanse of the enterprise, times have changed. I’m not saying that collection, sensing, and alerting aren’t important -- indeed they are. Rather, what I’m saying is that they are yesterday’s problem. Today, there is no shortage of options when it comes to collection, sensing, and alerting, whether these capabilities come from a vendor, from open-source, or are built in-house.

Perhaps you’ll understand why I’m a bit surprised that I still see so much discussion around the security community about who has built the better mousetrap. Granted, there will always be important differences between different offerings. The bigger question in my mind, however, is one that I see discussed far less often. What do you do with all of that information? How can all of that information be fused, correlated, and analyzed continually in order to be turned into knowledge? In turn, how can that knowledge subsequently be leveraged to either disrupt attacks, or to tell you when there is something requiring your immediate attention? That is the “wikipedia” piece of security operations that I so often see missing from the broader discussion, dialogue, and debate around the topic.

True security operations requires so much more than merely technology to support collection, sensing, and alerting. It requires intelligence to inform and enrich telemetry and alert data. It requires automation to put together different pieces of the puzzle and build the narrative around what is truly going on. It requires expertise to continually interrogate, mine, and analyze the enriched information in order to turn it into knowledge. Not just any knowledge, of course, but knowledge relevant to and mapped back to the risks we’re most concerned about mitigating. Knowledge that enables and empowers us to make informed, timely, and actionable decisions regarding those risks.

As the security world continues to march forward, having a security operations “wikipedia” seems increasingly critical to a successful security operations effort within an organization. Collection, sensing, and alerting technologies are easy enough to come by nowadays, but that’s only a small part of addressing the overall security operations challenge. It’s becoming less and less about getting the information and more and more about extracting maximum value from that information in support of informed, timely, and accurate decision-making.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is CTO – Emerging Technologies at FireEye and has over a decade of experience building, operating, and running Security Operations Centers (SOCs). Before joining nPulse Technologies, which was acquired by FireEye, as its Chief Security Officer (CSO), he worked as an independent consultant where consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career Goldfarb served as the Chief of Analysis for US-CERT where he built from the ground up and subsequently ran the network, physical media and malware analysis/forensics capabilities. Goldfarb holds both a B.A. in Physics and a M.Eng. in Operations Research and Information Engineering from Cornell University.