Playing Fantasy CSO to Win

By | June 28, 2006

Being a CSO is rather like being a soccer manager. Both have to make the best use of limited resources to deliver the results demanded of them. A CSO has only a limited headcount, budget and IT resources available, yet has to manage all of these strategically and squeeze out the best value – irrespective of conditions or external factors.

At first glance, a soccer manager seems to have many more resources at his disposal, from the players to coaching staff, assistants and luxuries such as in-depth TV and video analysis of games.

So what does a CSO have to help manage his company’s security? Staff, certainly. The IT team will also have a range of management consoles from the company’s various security products to give a snapshot of current security events. But there are still some elements missing.

In a soccer game a player that’s nursing an injury or is tired is easy to spot – but similar vulnerabilities are not as easy to see in complex corporate networks. This means CSOs and their teams may not easily see threats to security emerging, nor be able to react to them accurately in real time.

In the stands or pitchside?

Why is this? Often, it’s because CSOs and their teams don’t have the ability to get an overall view of security events as they happen, or of their network’s security status. A soccer manager can go up into the stands for a bird’s eye view of the action, or be on the touchline to be closer to the game. But in IT security you don’t always have the luxury of an overarching view of events as they unfold.

What’s more, unlike a soccer game, you may not have the benefit of in-depth match analyses and post-mortems, to see what happened and what could be improved during a security “game”.

But there is a way for CSOs to gain the resources available to the Scolaris, Erikssons and Klinsmanns and to achieve their fantasy security team. It’s Core Security Event Management (CSEM) – which has developed from the drive to unify network management, but focused specifically on information security.

The core of the game

So how does CSEM help? First, the CSEM solution links to core business systems to give an overall view of network activity, reporting on any changes to core assets, whether applications, servers, desktops, notebooks and PDAs.

By doing this, it adds value to an enterprise’s multiple existing security products, integrating all security management consoles and reporting formats to simplify control, provide greater visibility and improve response times. By filtering, prioritising and correlating the data and log traffic generated by multiple systems – typically by a factor of 1000 or more – CSOs and their team get a less cluttered view of what’s happening on and around their networks. What’s more, it can overlay multiple reporting logs and data streams to give IT staff a single-console view of critical security events, also integrating with asset management systems and similar solutions.

This ‘aerial view’ can identify irregular activities or attempted attacks that are otherwise invisible. And this view is built around the behaviour of core business systems, not just security products – which helps put alerts into context, linking up security and business data, accelerating response and remediation.

Here’s how CSEM can help CSOs get their fantasy IT and security team, and ensure they get the best effort and return from all resources.

Team selection

CSOs need to be able to work out how important each part of their overall security make-up and IT team is – just as a soccer manager has to choose his squad. It’s a tricky balance between risk assessment and reward. Any football manager would kill to have talents like Wayne Rooney, Figo or Ronaldinho at their disposal – but these are high-risk players, with potential to pick up injuries or have off-form days. So it’s important to balance with perhaps less talented, but more dependable players – somewhat like choosing between a mix of best-of-breed solutions and combined, single vendor solutions.

With CSEM, CSOs can see which team members are delivering the value, and report directly on that contribution under different circumstances. They can also focus on areas of weakness, whether in security – that is, software which needs patching or updating – or security policies and processes that need tightening.

Reaction & substitution

Soccer managers can react to changes in the game and in players’ performances by moving formations or changing the team’s formation. Because CSEM links to internal and external resources that document known vulnerabilities and exploits – and assist IT staff in delivering the best response with an embedded incident handling and resolution system – CSOs can do the same with security.

They can identify anomalies such as abnormal user behaviour or unauthorised access to information and change formation to react. If a security product is breached, the security formation can be changed and policies amended, or security profiles changed, and other resources brought forward to compensate.

Even esoteric, complex violations of security processes can be spotted through this type of correlation – making the IT equivalent of the offside rule both easy to spot and understand!

Training and tactics

The CSO, like the soccer manager has to get the best from his players within the rules of the game. In both cases training helps: in the case of soccer, on the training ground and, in security, certification. CSEM gives the ability to develop and enforce security according to rules and policies, and ensures the rules are adhered to.

Replay & post match analysis

Speaking of rules, CSEM puts the CSO on an equal footing with the soccer manager. Just like on TV, the CSO can have instant replays available on unusual security events, with forensic and audit-level log archives – helping to ensure that responses to emerging security events are accurate.

What’s more, CSEM gives the luxury of changing the game based upon the findings of the analysis, either during the event or afterward. The CSO can define a range of security profiles for all systems, with progressively higher levels of security – much like a “yellow alert” or “red alert” status – so if any security issues emerge, the appropriate security profile can be implemented to suit conditions.

In conclusion, CSEM gives CSOs the tools they need to assess the real value of their security processes and policies, and enhance overall ROI on security infrastructure and investments by adapting the rules to suit the game. Now how many soccer managers would love to be able to change the rules of the game to suit them?

Leave a Reply