About Me

My photo
Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.

Tuesday, October 19, 2010

Change Management

I read an interesting article this past week on how some of the IT "Leaders" are saying ITIL has seen the prime is on a dowward spiral.  Really?  The organizations that have embraced ITIL and found value - probably would not agree.  Yes, there are those organizations that took on ITIL and failed - but that was the approach, not the methodology nor the value it brings when done properly. 

I have talked a few times on my blog about Change Management.  If you do any ITIL - start and maintain Change Management. If you don't track your changes, then your incident response has to include finding out what changed - right?  Having a managed and structure environment really ensures your environment can quickly respond in the event something happens.  Planned or unplanned - have documentation. 

Change Management:
  • Want to manage risks to the organization
  • Reduce risk to a level acceptable to management
  • Need to also enable the organization by quickly responding to changes
  • Need to design the process accordingly
  • Have a solid process
Have a great change advisory board, have full participation and do it right!  Check back again this week for my thoughts on Emergency Change.

Scott Arnett
scott.arnett@charter.net


 
Posted by at No comments:

Tuesday, October 5, 2010

Cisco MARS: Worth the price?

Looking for that enterprise wide management tool for your network hardware?  Think Cisco MARS is the answer?  In November of 2009, Cisco Systems Inc. announced that its MARS security information and event management (SIEM) product would no longer support integration with third-party products. As such, should enterprises still consider MARS when looking at SIEM products, or is the vendor lock-in too high a price to pay?

What value does MARS bring now that other tools can't?  I remember looking at MARS product in early 2000, it fell short of expectations then, where is it now?  First, a little background: What is MARS? Quoting from Cisco's Frequently Asked Questions (FAQ), the vendor's Security Monitoring, Analysis and Response System, or MARS for short, is an "appliance-based, all-inclusive solution that allows network and security administration to monitor, identify, isolate and counter security threats." Basically, MARS is Cisco's attempt at a unified security monitoring and mitigation platform that allows the appliances within Cisco's security product portfolio to interact with each other and effectively address security threats in a timely manner (sometimes in real time).

Cisco MARS belongs to a family of products that has its roots in log management. A traditional log management platform attempts to provide a central repository for collecting events from servers, firewalls, switches, routers and even Web services. Most log management platforms come with a pretty robust parsing engine with some ability to trigger alerts on preset search signatures. These search signatures are highly customizable, providing extensive regular expression matching. To give you an example, search signatures could be set up to trigger alerts when accounts are created or deleted on systems, device configurations are modified or system failures take place, among others. This provides a pretty effective way to track down system or security events. These platforms also come with preconfigured alert packages that help organizations address compliance requirements like PCI DSS.  Wait a minute - doesn't it let me configure switches or do a mass IOS update?

How is MARS different? MARS is a SIEM product, and, like other SIEM products, it offers baseline log management features and extends to provide intelligent threat analysis and threat mitigation capabilities on security events received from a wide variety of sources. It might be easier to understand where MARS fits into the enterprise by running through an example. Since a Cisco product is our focus, I have kept this example Cisco-centric.

Let's say Company A likes to stay informed on the latest security threats and has a robust security infrastructure to provide it visibility into various parts of its network. Company A has deployed a firewall with an inline intrusion prevention (IPS) module, and has also deployed a Web security gateway to provide traditional URL and reputation filtering with malware intelligence. This architecture is augmented by an endpoint security product that combines a host-based IPS with acceptable use policy enforcement and traditional antivirus protection. To disallow unauthorized systems from connecting to its network, the company also employs a network access control (NAC) system. Finally, Company A also hosts an ecommerce platform at a service provider.  But what about my non-Cisco UTM products I have at the edge?

As you can see, Company A likes to keep on top of security with point products addressing security at multiple levels. But having all these point products makes it difficult -- if not impossible -- to manage, monitor and mitigate security risks in a timely manner. In other words, Company A has rightly implemented a multi-layered security strategy, but the effectiveness and timeliness of its risk mitigation capabilities would be compromised by the sheer number of devices providing information. But by adding a SIEM product to the mix, Company A can use intelligent correlation to take the alerts and data from each of the point products that the company has in place, aggregate and normalize them to remove repeat entries (damping), and then apply built-in security rules to identify threats and effectively mitigate them. The last action -- the actual application of the rules -- is the most critical step to successfully identifying a security threat.

Now that we've discussed the security function that SIEM tools like Cisco's MARS provide, the question emerges: How crucial is third-party interoperability? The answer: very. As the point of SIEM technologies is to be able to correlate data from a variety of sources, a SIEM's inability to talk to some or any of those sources renders it marginally useful at best, and marginally useful is not reason enough to spend a significant amount of money on a SIEM. 

Given the change in Cisco direction on the product, and that most enterprises are not Cisco 100%, it is no longer a good fit, nor for the money.  I can think of better products that are enterprise wide and bring in all my vendor products and give me a holistic view.  Sorry Cisco - you missed the boat on this one!

Scott Arnett
scott.arnett@charter.net
Posted by at No comments:
Subscribe to: Posts (Atom)