We have officially dubbed 2014 “The Year of the Security Breach.” We rang in the year with the Target news, watched the autumn leaves change during the JP Morgan breach, and did our Christmas shopping amidst the bizarre and often amusing Sony hack.
In 2015, protecting our data has become part of our collective zeitgeist. The modern IT professional is part Indiana Jones, part General Patton … protecting us from enemies both known and unknown. As in any time of heightened danger, the tools and tactics we use to protect ourselves must change and adapt.
As we look towards 2015, we at AccelOps challenge the current state of security and monitoring tools. We’ve identified several key “must have’s” for the modern CIO to protect his data in today’s environment. We’ll address each of them in a daily blog.
Here goes the first one: CIO Resolution #1: Cross-correlate data to get to root causes faster
Problem: Tool sprawl
IT teams often solve point problems with point solutions as they deliver new business services. That behavior causes tool sprawl that ultimately leads to inefficient security and performance monitoring — or worse — poor decision-making.
The main problem with running multiple redundant tools is you can’t correlate what’s happening across the different data streams to understand the root cause of the problem. For example: one tool shows a CPU spike to 95% on a domain controller…another displaysa security event showing an abnormally high number of logins from the Ukraine… and a third alert from a config file confirms a firewall rule was changed.
Using three different monitoring tools is a recipe for poor execution. Any one of those pieces of data in isolation is notable but not actionable. When you correlate all three and apply complex event processing to the result you say, “Whoa, we’ve got an issue here. We’re under attack.” AccelOps eliminates tool sprawl to improve root cause analysis.
Solution: Cross-correlate your data to get to root causes faster
AccelOps aggregates your data – events, logs, and config files – then correlates and normalizes it in one central repository. We enrich it with metadata to provide context then process it against more than 300 security, performance, and availability rules in system memory before writing sanitized, actionable information to disk.
Taking the example above, when the AccelOps rules engine sees a CPU spike and we get an event showing an abnormally high number of logins from the Ukraine followed closely by modifications to a firewall rule, a notification is triggered because that pattern of concurrent activity is suspicious.
Rather than getting inundated with alerts from separate tools, you receive actionable alerts that let you know there is an important breach or something that requires attention. All rules and alerts are configurable so you’re only alerted when issues you consider important occur.
Tomorrow we’ll discuss CIO Resolution #2: Use an Integrated Monitoring and Security Platform.