“If whishes were trees, the trees would be falling…” - R.E.M,
Stand
You know some variant of the rest of the saying, “…in the
forest, would anyone hear it.” I could quickly turn this into a metaphor for continuous
monitoring of critical systems. If a security incident happens, would anyone
detect it?
Situational Awareness: Seeing the Forest for the Trees
How many trees do you need to monitor, all of them or just
the critical and high risks trees? How do you define the perimeter of the
forest? Is there even a fixed perimeter, or does it change seasonally and
continue to grow overtime. Don’t forget to monitor the skies and the earth for
risks. Let’s not forget network flows as the trails and paths through the woods
continually change. Do you have enough Ents
on staff, and are they agile or do they take too long to act?
Security Event and Incident Management: Sustainable Logging
When a tree has fallen, we all know there is a log somewhere.
But, do you know what to look for when reviewing those logs? Take a good look
at the noisy photograph accompanying this post.
There is part of an old rotting tree log in the foreground and a fallen
tree in the background. But, did you
notice the new tree growth coming from the old tree stump still connected to the
ground. Is that growth the system
renewing itself or is it a malicious replacement of the fallen tree? Let’s not to forget that old forgotten rotting
log in the foreground; is it a necessary part of the system or is just there
adding noise to your log review process?
We may never be able to stop every tree from falling, but we
should know and understand the forests that we guard, be able to identify
critical changes, and detect and respond to security incidents. If a tree
falls, someone should detect and review the event.
While the metaphor can continue on, I will leave us standing
here in the forest. As long as there are gaps in the tree line; we are not out
of the cyber woods.
“Now stand in the place where you work…Wonder why you haven’t
before” - R.E.M., Stand
