“We’ve got all the information coming in. The analytics platform is going to do useful things with that. Help us make our decisions. Help us see our entire environment - holistically, all at once, in one place. And not by logging into eight different consoles to see eight different environments… We can’t throw enough humans at the problem to solve it,” said Adrian Sanabria (@sawaba), senior security analyst for 451 Research, in our conversation at the 2015 RSA Conference in San Francisco.
Sanabria was discussing the “situational awareness platform,” which is a unifying theory for the security industry that could help address industry’s information overload problem. “We’ve got all this stuff pouring out from SIEMs, vulnerability scanners, and IDS/IPS. Let’s integrate these analytics platforms and do something with all this data.”
“Visibility is the key. I think before you do anything in security, you can’t really do the control pieces; you can’t really make big leaps if you don’t have visibility as to what’s going on in your environment. Looking at platforms that can track all the assets, tell you what’s going on and do a good job of giving you all those details without a huge team of people to pull all that stuff out,” said Sanabria. “Getting that visibility upfront first, especially on assets and software and what’s going on in the environment, that’s step one.”
Step two is tracking the threats, dealing with the threats, and incident response. The last step is automation.
“We’re copying and pasting things in and out of consoles. We’ve got APIs. We’ve got the ability to connect all these systems. We’re just not doing it,” Sanabria continued. “There are companies using DevOps out there that are really ahead of this, out of necessity. They’re not really trying to change the security industry. That’s just how their workflows work.”