Friday, April 20, 2012

Wait, what? Someone has to look at those logs?

Anton Chuvakin has a good post over on the Gartner blog about security monitoring and cloud systems.  Depending on your point of view and/or experience, you may think his comments are thought provoking, or possibly obvious (this will probably depend on where you are on the cloud adoption path).  I agree with the good Dr. Chuvakin, but my recent conversations with people trying to come to grips with monitoring and log analysis have given me some contradictory insights.

Anton is correct in his mapping of visibility and coverage, and on the observations of the perspective of CSP-MSSPs (Cloud Service Provider – Managed Security Service Provider), but there is one point I have heard loudly from some people- that in spite of some MSSP’s theoretical threat intelligence and perspective advantages, they simply do not understand the businesses they serve well enough to provide enough value to justify their expense.

In my recent peer-to-peer session on What Works in Log Analysis at the RSA Conference some participants were struggling to pull log management and analysis back in-house after outsourcing it.  Their battle was that the MSSPs never lived up to the promise of economies of scale and advanced insight into traffic anomalies, possibly due to shortcomings on the part of the MSSPs, and possibly because the advantages of scale and “big picture” view were offset by a lack of focus on the specific circumstances of the customer.  As with many other issues in business, you (hopefully) know your situation better than anyone else.  I’m not saying that you can’t outsource SIEM, log management/analysis, or anything else for that matter- I’m just saying you need to understand the trade-offs and make sure you monitor the MSSP until you are satisfied- and then keep monitoring them.  Any effort you duplicate in monitoring the performance of your CSP-MSSP or MSSP is cheap insurance- the last thing you want to face is a surprise failure of your monitoring service and the sudden need to rebuild an in-house monitoring program.  You thought getting all that data pushed out to the MSSP was a pain- just imagine trying to get it back.