In the early history of America, there was a man named Willie Sutton who was an infamous bank robber. When he was asked why he robbed banks he sarcastically replied, “. . .because that’s where the money is.” While this answer may have been fabricated it aptly captures the choice of target. More than 70 years later the metaphor applies to how cyber criminals target corporate information stores – it’s where the money is. The difference between a high profile bank heist and the theft of millions of confidential records by cybercriminals is that there are many more points of entry further complicated by remote accessibility. Today, instead of one armed guard protecting the vault from a masked man, the maturing security industry provides many electronic sentries but not always with the same result.

The vendors who make up the enterprise information security industry have been prolific in producing technologies and products that protect data. There are products designed to protect data stored in laptops, databases, fileservers and protect data being transferred inter and intra systems, between e-enabled applications and between partner systems or wireless devices using all types of protocols. By virtually any measure the array of industry offerings have been successful in providing the advertized protection.

Building on these advancements, the businesses are able to provide wider access to applications and information to a broader audience of customers, partners, and employees utilizing a dizzying array of access methods, protocols, and devices. The information security industry has continued to grow by providing even more technologies and products. Success breeds success; the information security industry has been enabling business growth and businesses are scooping up protection as fast as it becomes available. The result of more protection is more complexity. The challenge for businesses today is managing the very complexity they’ve created by adopting more and more of the innovation that the industry serves up year over year. Following is a closer examination of three factors contributing to complexity:

First, the very infrastructure, which most enterprises now have in place to protect themselves, is growing and becoming more complex. The infrastructure generates so many ‘observations’, in the form of logs, that they are blinding the enterprise with information overload. In fact, in many organizations it would be fair to say that it is data overload. The logs generated by information security products are obscure enough to not even be informative in their original form. Compounding this problem is maxim made famous by Claude Shannon, the famous Bell Labs scientist: “The enemy knows the system”. Simply put: the ‘enemy’ activity is indistinguishable from legitimate activity – especially when examined through the perspective of a single system.

Second, government and industry regulations have added another dimension to the job of managing an already complex landscape. Varying in details and demands, many companies are subject to multiple regulations. All regulations have the same intent - to ensure that enterprises exercise due care in protection of information assets for the benefits of their customers, shareholders, employees, and in some cases critical infrastructures for national defense. However, their requirements and the audits that assess their effectiveness do vary. While some organizations have embraced the regulations to fortify internal policies and demonstrate security best practices, for most organizations compliance with the regulations has driven IT’s investment in enterprise security.

The third factor is pervasive growth in criminal activity, exacerbated by global economic turmoil.

Cutbacks resulting in disgruntled employees require increased vigilance against internal attacks and criminal attacks driven by hackers who are not otherwise “employed” are targeting small and midsize businesses which have typically weaker defenses. The Consumer Sentinel Network Report published by the Federal Trade Commission on February 26, 2009 shows that from 2000 to 2008 the number of fraud cases has gone up by a factor of six, and the ID theft number has increased tenfold. This is only one of several reports that confirm criminal activity is growing.

A related, but different, result of the economic downturn is the tightening of IT budgets. While most companies report ‘no change’ in security budgets, the spending is a trickle versus a wave as companies wait for economic improvement to spend the budget. This is compounded by the fact that new program/product budgets may be intact but the staff that would implement the new programs or products has been cut, or at best not expanded. This translates into delaying the implementation of critical programs or technology, because there is no headcount to implement them. On the other hand, every in-place resource is doing more work and must rely on technology to fill the productivity gap. So at a time when risk is increasing, capable resources are decreasing making the mandate to protect and defend even more complex.

The industry has responded to the complexity, introduced by these three factors, with technology improvements that have evolved from simple consolidation to proactive discovery and analysis. Consolidation of data provides value in and of itself. It takes the form of a repository which can be used for real-time or historical review of individual events. Log management products, as an example, facilitate building this repository for reviewing past activity. Log management by itself achieves a minimal level of compliance with regulations. Consolidation of logs improves operational efficiency by reducing the time it takes an analyst to physically gather data from different systems in order to determine what happened.

Another improvement that has simplified the complexity is the ability to transform millions of unintelligible logs into security events and then manage events to further improve understanding and accelerate investigations. The automated parsing, aggregation, and correlation capabilities, found in subsequent products, offer insight into patterns of activity. Patterns emerge from the observations of multiple security products which uncover multiple instances of the same activity and repeated actors in different activities. By reducing the effort required for review and understanding, users achieve a higher level of compliance with regulations and with the bonus of reduced cost. Operational efficiency also improves as enterprises rely more on automated tasks to respond to audits and protect assets.

These technologies have continued to mature. Referred to as fully capable security information and event management products, the outcomes enable comparison of the real-time activity to past trends to identify new patterns or anomalies that deserve investigation and to identify activity that violate specified policies. Policy violations are particularly actionable because the actors and the targets are clearly defined as is the mitigation or remediation response. The policies are generally defined by enterprise the GRC (Governance Risk and Compliance) committee and implemented as controls on information systems.

Because of these advancements, any enterprise can derive benefit from selecting and deploying this type of technology at one of the three tiers of maturity described here. Ideally, organizations would choose products that align with the maturity and capability of the organization and the evolution of their management processes.

The information assets that we are all trying to protect are not obvious, like Willie Sutton’s stacks of cash or coins secured in one obvious vault. Because we can’t always “see” the assets they are harder to steal and in some ways harder to protect. However, there is a universal maxim in the information security industry: security through obscurity is no security at all. The more obscure the assets are the greater the effort to compromise the system; the greater the effort to compromise the system the more electronic footprints there are for us to track and process. Given enough time the obscurity of the asset is not going to provide any protection from a persistent effort. Because of technology advancements, the ubiquitous footprints have less chance in reaching the target. We may have limited ability to curb complexity, but technology continues to simplify and improve management results.

Sunil Bhargava is CTO of Intellitactics, Inc. based in Reston, VA. Intellitactics is a leading provider of Security Information and Event Management (SIEM) software and Log and Event management appliances marketed as SAFE. To read more from Sunil please visit www.enterprisesecurityblog.com.