The sentence is simple: get all the security solutions to work with each other. So how do different sized firms deal with that directive?
At the small company, the good news may be that there are only one or two solutions to work with. The bad news may be that they’re small business solutions that don’t have full enterprise features for integrating with anything. The bad news may also be that the IT person at that small business is either a visiting consultant or someone that handles all the IT, from the production line systems on up to ordering replacement RAM for company laptops. Basically, someone that doesn’t have 100% attention on security.
But let’s say that the small business IT person wants to do the right thing and be serious about security. She’s got an antivirus program for the PCs and a firewall for the Internet connection. She could stare at firewall logs all day long, or maybe she could spin up a syslog server. That sounds like it would be both a fun project and have a big payoff at the end of the work.
Unless she’s unfamiliar with Linux. Because that’s where the free syslog servers live. Linux is not an intuitive sort of thing, and learning it can be a difficult and frustrating experience. Chances are, if this IT person is dedicated enough to get into Linux, she may have moved on to a better opportunity by the time she knows enough to start up a Graylog server.
Now, if she’s staying with the small company out of sheer loyalty (maybe a family member or other dearly loved one is running the company), she’s got to learn how to do Greylog after that bout with Linux. Once that task is done, she can turn on logging on that firewall and create some rules in Greylog to alert her on specific rule violations or when there are multiple violations of the same rule from a single host…
… and then come back the next day to see her inbox swamped with alerts from the syslog server. Now she’s in the final phase of implementation, tuning the alert frequency. After that, she’s still faced with manually inspecting devices that are generating the most alerts because that anitvirus solution at the small firm doesn’t have any monitoring tools to go with it.
By now, she is master of the firewall, syslog, a fair amount of Linux, and how to find great deals on copier paper and toner. Not wanting to develop her copier paper ordering skills any further, it is quite likely she’s ready to rationalize away whatever loyalty she has and move on to the next opportunity.
And that’s the final obstacle for security solution integration at small companies. Quite frequently, they can’t pay enough to keep motivated, skilled professionals on the payroll. They’ll either have to deal with unmotivated IT people that really don’t care to stretch their skills or turn to a firm that will place someone onsite 2 or 3 times a week to check on how things are going there. If the previous person set up an alerting system, they’ll use it. Maybe. But they sure aren’t going to build one out. That’s work well above their pay grade.
So we follow our IT pro to a medium-sized company. Here, she’s no longer a department of one. For sure, she’s no longer dealing with renewing licensing for everybody’s softphones. She’s the security person, alongside the network person, the sysadmin, the phone guy, the 3 techs that do operations, and the wireless person. Not bad, am I right? She can specialize now, no question about it.
Well, maybe there’s a few questions about it…
For example, this medium-sized company has an AV system, an IPS here and there, a perimeter firewall and a datacenter firewall (different vendors, to boot!), a syslog server that is running at the very limits of the “free” offering from its vendor, a proxy server, and security is also in charge of the IPAM and PAM systems. There’s a good chance that our IT pro may not have heard of either IPAM or PAM and may even make the mistake of thinking they’re the same thing. But she’s on top of things and learns the difference between IP Address Management and Privileged Account Management, and all seems well, except for the fact that she has to ramp up on 6 different technologies. There won’t be any integration until that happens.
As she’s ramping up on those techs, she’s also responsible for supporting them. That means lots of explaining to users and developers why this security system or that one isn’t interfering with their application’s performance. She even posts this image in her cubicle and points to it as she sees a user or developer walk up:
(On a personal note, I’ve used that image. It has yet to prove my case to a developer out of hand, but it does help to set the tone of the discussion to encourage the dev to look for other reasons why the app isn’t working.)
While that helps with the firewall questions (see my personal note), it does nothing for the constant requests to exempt websites from the proxy filter. She’s barely got enough time to read product documentation, so when is she going to find time to integrate those solutions?
Moreover, how does she go about automating actions between the systems? It’s not like the firewall is built to take direct input from the proxy server. The syslog server seems to be the logical choice as a clearing house of information, but how can it be configured to send commands to one system or another based upon logging info that’s coming in from another source?
It’s possible that the security systems have an API that can allow commands to be sent to them. It’s also quite possible that the systems *don’t* have an API, or that the API is such that the syslog system can’t send commands to it. Even if the API is one that the syslog server can interact with, our IT pro would then have to learn how to write code. If she’s lucky, she can borrow a developer for a day or three to help with the project. If not, then she’s got a steep learning curve ahead of her if she’s never really done programming before.
But there’s also a fair chance that she won’t have to do all this alone. It’s entirely possible that the medium-sized firm has enough wherewithal to contract professional services from a vendor. If that can be done, then she can stay focused on her day-to-day work while the vendor’s pro serv person hacks out the code and does a knowledge transfer at the end of the engagement.
Now, I need to make a disclaimer here because I am part of a professional services team for a vendor. While someone could accuse me of wanting to feather my own nest, the truth is that, as a customer, I have benefited greatly from vendor professional services. They are definitely worth looking at.
The pro serv route is also available at the large company level. If we have our IT pro start a career at a large firm, she’s going to find that she can specialize more in the technologies she works with each day. This means that, while she gains a deeper knowledge of just 2 or 3 systems, she’s also no longer connected to *all* the systems. Other people on her team, possibly even other teams entirely, will handle those systems. Integration now means not just mastering the technology, but mastering the political considerations that go with cross-team projects. Will the integration mean one team or the other takes over a technology? If both teams manage the system, which managers are responsible for which functions?
One of the stickiest questions is: will we wind up stretching one product to fill a role that is actually better suited to another product? Added to that one would be: which systems does it make sense to integrate with which other systems? Both of these questions deal with lines of demarcation, where one system ends and another begins. For example, at what point does the antivirus protection end and the vulnerability scanner responsibility begin? Which has priority over web traffic, the data exfiltration protection or the proxy server?
While any integration at the small or medium sized company was done pretty much as a solo or very small group effort, the large company integration could very well be impossible without a multidisciplinary product team, with an oversight committee made up of about a dozen operational and service-line managers.
Like I said, “get all the security solutions to work with each other” is easy to say. Getting progress on that task means understanding the obstacles and then figuring out how to clear them out of the path.