Isaac Newton was for sure a great
physicianphysicist but he was not security aware! In his third law, he said “For every action, there is an equal and opposite reaction.” (also known as the “action – reaction” principle).
This law of physic does not apply to security and more precisely to risk management! You can’t wait for an incident to occur and only after take the right countermeasure(s)! Recently, I saw a
good bad example in an organization which suffered of a major network outage during a few hours. After a lot of investigations, they decided to power-cycle a core switch and the problem was solved disappeared. Shit happens, such incident always occur outside business hours and the impact for the users must be as light as possible. That’s why, often, it is even not possible to perform live investigations. The Microsoft syndrome wins: Reboot!
In the example above, once the core switch rebooted, they lost all relevant data and, as the switch was not configured to send its events to a central syslog server, they can’t debug further more! Case closed!
This example shows why the “action-reaction” principle does not apply to security! You must be prepared to the worst case. Deciding to deploying a security solution after the incident occurred is not the proper way to reach your security requirements. You have to perform a risk analysis and apply the right countermeasures to circumvent then (or at least reduce them). Risk analysis is a strong exercise which requires time and money but there are alternatives to help you to reduce risks.
As a security consultant, I’m often facing the same questions from customers (even more during this financial crisis period): “You come to us with nice security solutions but how much does it cost to implement them inside my company?“. Of course, security vendors proposes solutions with a lot of powerful features but very expensive. This may be a little exaggerated from my point of view but some security solutions look like Microsoft Word: Think about the features of Word you use every day. How much? 10%? I’m very large! The same applies to security solutions.
If your IT budget was reduced, please do not drop security projects! Some quick wins may help you a lot and cost almost nothing. The open source world is a gold mine and has wonderful solutions ready to use. Back to the example above, to collect messages from the core switches, a simple Linux server with a syslog-ng could centralize all the syslog events generated by your network devices and applications. If you have to look for specific errors, just use the grep tool to search patterns in text files generated by syslog-ng. I agree, it does not offer powerful correlation and real-time notification in case of incident but the most important: You keep a trace of all events!
It does not mean that commercial solutions should be avoided. Certainly not! They also propose features which can help you a lot and reduce management costs. Finally keep in mind that the time invested deploying a basic solution won’t be lost: the analyze you performed today will be re-used later when you’ll switch to another solution (list of assets, criticity, …)
Note that the Newton’s principle perfectly matches to everything related to incidents management! If an incident is detected in your security perimeter, you must take actions! But that’s another topic! 😉