Gartner Blog Network


Let’s Go Fight IT for Logs? Agents? Taps?

by Anton Chuvakin  |  November 1, 2018  |  5 Comments

This is a depressing post about security in the real world (what … another one?)

In any case, we are having those enlightened debates about log analysis (via SIEM/UEBA), network security monitoring (via NTA or, if you’d like, NDR), endpoint detection (via EDR) and overall about SOC. Even threat hunting comes up. All very exciting! Very stimulating!

But guess what all these security technologies have in common? They all rely on something that the cyber security team does not own or control: IT infrastructure.

To SIEM and even to log, you need configurations changed, credentials obtained, access allowed or agents deployed; then logs need to be gathered and directed to the analysis engines.

To NTA, you need access to traffic via taps, packet brokers or span ports; you also need the network infrastructure to work harder to capture data and not just to network.

To EDR, you need agents deployed or admin credentials obtained (if lucky to have an agentless EDR ); these may mean additional performance requirements too.

All this relies on IT. This also means that many discussions about layered defense, detection and response, monitoring just die, because – hey! – often the good guys seem to prefer to fight other good guys. Specifically, the good guys in IT fight the good guys in security.

Am I too cynical here? Not really – you all secretly know that IT dysfunction kills security (example)!

For example, Augusto wisely pointed out that “organizational challenges” sometimes make the network monitoring be chosen ahead or instead of endpoint monitoring.

What does it really mean?

This: imagine that you are comparing a great EDR vendor (good + fast + cheap, pick all 3 at 1/2 the price, detect APT, does not affect performance, UI is beautiful, support team sends you thoughtful gifts) and a shitty NTA vendor (costs a lot, drops packets, generates mostly “false positives”, befuddles with their UI, support team does not pick up the phone and only sends you bills).

However, you – the security manager – are friends with the network team at your organization, while the desktop team hates your guts. They’d rather the organization be hacked, because they want you to be fired as a result. They will never allow any “horrible security agents” to be installed.

Would you be able to make a sensible technology decision? I’d vote NO. You choose the network monitoring over endpoint monitoring as your first, and very likely also your last step in your detection and response strategy.

Similar frictions happen between the vulnerability assessment function (part of security) and platform teams responsible for patching. I’ve seen examples of “great vulnerability scanner + great system management tool + BAD team friction = total failure.”

So, Anton, why was this written? For two reasons:

  1. First, to warn the vendors: sometimes your technology is great, but it totally fails in the real world. Innovate, but think about real world challenges and deployments.
  2. Second, to remind the defenders to play along and seek to minimize “fighting the good guys.” Defend, but also build bridges between different groups of the good guys.

 

Category: detection  edr  nta  philosophy  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Let’s Go Fight IT for Logs? Agents? Taps?


  1. Dori Fisher says:

    Agree.
    I think every security vendor should add a nice feature for IT.
    Selling Infosec internally usually means that IT should get something out of it. In many of my projects, we used to incorporate IT needs and support them with a dashboard, an alert or anything we can fo to make their job easier.
    Small example, in one client we added siem monitoring for backup logs and alerted on errors and changes to time and data backup. This saved lots for IT guys and they supported siem soc.
    Dori

    • Thanks for the comment, Dori. I am sure you had your share of “we need logs – NOOOO!” battles in your time. I think “value for IT” is a decent strategy unless IT starts as hostile to infosec in the first place…

  2. Pavel Taratynov says:

    I couldn’t agree with you more. It is a general situation. That’s why networking and soft skills are so crucial for SOC/security managers. IMO, SOC building is more about management challenges, not technology.

    • Pavel, thanks for the comment. Indeed, “networking and soft skills” is ultimately the best “weapon” vs the bad guys here. If you win the good guys, then together you can win vs the bad guys…

  3. Fortune Barnard says:

    Great article as usual sir. I must point out how much time security folks spend fighting each other in bigger or global organisation. Cyber security is about risk and relationship management, and collaboration. If we don’t collaborate with each other, how are able to collaborate with IT, and then hopefully get the data to protect the organisation?



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.