Blog post

Let’s Go Fight IT for Logs? Agents? Taps?

By Anton Chuvakin | November 01, 2018 | 7 Comments


This is a depressing post about security in the real world (what … another one?)

In any case, we are having those enlightened debates about log analysis (via SIEM/UEBA), network security monitoring (via NTA or, if you’d like, NDR), endpoint detection (via EDR) and overall about SOC. Even threat hunting comes up. All very exciting! Very stimulating!

But guess what all these security technologies have in common? They all rely on something that the cyber security team does not own or control: IT infrastructure.

To SIEM and even to log, you need configurations changed, credentials obtained, access allowed or agents deployed; then logs need to be gathered and directed to the analysis engines.

To NTA, you need access to traffic via taps, packet brokers or span ports; you also need the network infrastructure to work harder to capture data and not just to network.

To EDR, you need agents deployed or admin credentials obtained (if lucky to have an agentless EDR ); these may mean additional performance requirements too.

All this relies on IT. This also means that many discussions about layered defense, detection and response, monitoring just die, because – hey! – often the good guys seem to prefer to fight other good guys. Specifically, the good guys in IT fight the good guys in security.

Am I too cynical here? Not really – you all secretly know that IT dysfunction kills security (example)!

For example, Augusto wisely pointed out that “organizational challenges” sometimes make the network monitoring be chosen ahead or instead of endpoint monitoring.

What does it really mean?

This: imagine that you are comparing a great EDR vendor (good + fast + cheap, pick all 3 at 1/2 the price, detect APT, does not affect performance, UI is beautiful, support team sends you thoughtful gifts) and a shitty NTA vendor (costs a lot, drops packets, generates mostly “false positives”, befuddles with their UI, support team does not pick up the phone and only sends you bills).

However, you – the security manager – are friends with the network team at your organization, while the desktop team hates your guts. They’d rather the organization be hacked, because they want you to be fired as a result. They will never allow any “horrible security agents” to be installed.

Would you be able to make a sensible technology decision? I’d vote NO. You choose the network monitoring over endpoint monitoring as your first, and very likely also your last step in your detection and response strategy.

Similar frictions happen between the vulnerability assessment function (part of security) and platform teams responsible for patching. I’ve seen examples of “great vulnerability scanner + great system management tool + BAD team friction = total failure.”

So, Anton, why was this written? For two reasons:

  1. First, to warn the vendors: sometimes your technology is great, but it totally fails in the real world. Innovate, but think about real world challenges and deployments.
  2. Second, to remind the defenders to play along and seek to minimize “fighting the good guys.” Defend, but also build bridges between different groups of the good guys.


The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Dori Fisher says:

    I think every security vendor should add a nice feature for IT.
    Selling Infosec internally usually means that IT should get something out of it. In many of my projects, we used to incorporate IT needs and support them with a dashboard, an alert or anything we can fo to make their job easier.
    Small example, in one client we added siem monitoring for backup logs and alerted on errors and changes to time and data backup. This saved lots for IT guys and they supported siem soc.

    • Thanks for the comment, Dori. I am sure you had your share of “we need logs – NOOOO!” battles in your time. I think “value for IT” is a decent strategy unless IT starts as hostile to infosec in the first place…

  • Pavel Taratynov says:

    I couldn’t agree with you more. It is a general situation. That’s why networking and soft skills are so crucial for SOC/security managers. IMO, SOC building is more about management challenges, not technology.

    • Pavel, thanks for the comment. Indeed, “networking and soft skills” is ultimately the best “weapon” vs the bad guys here. If you win the good guys, then together you can win vs the bad guys…

  • Fortune Barnard says:

    Great article as usual sir. I must point out how much time security folks spend fighting each other in bigger or global organisation. Cyber security is about risk and relationship management, and collaboration. If we don’t collaborate with each other, how are able to collaborate with IT, and then hopefully get the data to protect the organisation?

  • Robert says:

    I loved the post! In recent years, I’ve been looking into methods to have these challenging conversations with the C-Level folks. As often as this scenario plays out, it makes me wonder how engaged CIOs are with the needs of their organization. It would be refreshing to see an onslaught of articles hit all the executive periodicals / blogs. Too often, my concerns aired directly to the Security Director don’t make it through the CSO / CISO into the thoughts of the CIO. How can we make progress here?

    • Thanks a lot for the comment. Indeed, many of those can be filed under “leadership fail” and that ultimately means the CIO.

      However, I have a sneaking suspicion that many of these issues never reach the CIO. E.g. IT ops fights infosec re: patching rarely does reach that high up, it seems