Recently, I was at a customer site to discuss monitoring, correlation, and alerting. They told a tale that I have heard so many times, all I could do was sit there and nod my head sympathetically. They described a failed SIEM (Security Information and Event Management) implementation that they had recently gone through. After hearing the tale and asking several questions, I discovered that the vendor had not bothered to LISTEN to the IT staff before suggesting a SIEM product and proceeding with implementation.
They did not LISTEN to the goals of the organization or the IT staff's initiatives to support those goals. They did not LISTEN to a list of existing security controls and tools that had already been stood up and were working independently of each other. They did not LISTEN to what leadership needed to see on reports and in the way of metrics in order to feel that their money was well spent on the product. They did not LISTEN to the business objectives that IT needed to serve and meet in order to be successful. They did not LISTEN to a list of previous attacks that had been thwarted and how they were discovered and prevented.
It occurs to me that in the world of InfoSec we do a lot of fear mongering to sell products and services (not to imply that there is not a real and present danger to be aware of and to address). What we often seem to miss, is the need to use our ears as a sensor to determine objectives, historical successes and failures, existing controls, and human and financial resources to assist in choosing the correct strategies and tools to provide real security and peace of mind for customers. In a defense-in-depth strategy, shouldn't our ears be one of the first controls employed?
Eddie "the Y3t1" Mize is CSO and Director of Information Security for The Pinnacle Group
He has over 31 years experience in the Computer Industry as well as over 18 years experience in Information Security. He is an integration and security specialist with years of experience building Information Security Programs. He has led numerous PenTest and Red Team events for a wide variety of industries and served on Cisco's Enterprise Advisory Board for Information Security.
Eddie is a frequent security speaker on real world information security and compliance, mobile security, red-team/penetration testing techniques, and cloud security. He is a security evangelist, podcast SME and DEFCON speaker and Staff Goon and is a "Distinguished Speaker" for the CiscoLIVE conferences. Eddie's work has been published in Network World, Pentest Magazine, and Hakin9 Magazine.