Two activities still partitioned
The supervision and steering of the system security are today still separated from the supervision of the information system performance and disponibility. There are many reasons for that partitioning. Historically the performance monitoring is a long-standing activity under the responsibility of operating teams. The steering of security appeared far more recently and started inside teams of experts and consultants on security, not involved in the everyday exploitation of the parks and networks. The partitioning is a pervasive principle in safety, which also contributed to separate these two activities. Finally, the SIEM were originally developed by specialized security companies that do not possessed skills in the area of performances and operations supervision, which also contributed to the partitioning.
The benefits of convergence.
Many arguments push in favor of a reconciliation of these two activities:
- Weather the cause of failure is due to an intrusion or a malfunction, the consequences for the company are the same. As a matter of fact, it is sometimes difficult to differentiate a malicious act of an unintended incident. Then, while we supervise the same effects, it is incoherent to partition these two activities.
- Both activities use very similar concepts: supervision, correlation, alert or alarm management, workflow, etc.
- They also both share many tools: inventory management, download tools, knowledge base, etc.
- Part of the system information is also used by both activities: Inventory detail, equipment criticality, network topology, logs recovery, network traffic analysis, etc.
- Each network device has dual information that can be solicited or managed by both activities due to the lack of convergence of treatments.
- The performance monitoring activity has a longstanding and reliable expertise from which security oversight could benefit greatly.
- The most expensive item in the supervision remains human resources. It is absurd today, in times of tight budget, to multiply these teams for non-expert part (supervision and operation level 1)
From these findings and comforted by his experience in the field, CS offers a convergence opportunity for security and performances.
For this, CS relies on its two flagship tools of its Supervision set of products:
- Prelude SIEM for security supervision
- Vigilo NMS for performances supervision
- Rationalization of costs, in terms of product license, with interesting mutualized offers,
- Rationalization of operating costs with shared modules, opportunities for mutualization of Level 1 teams,
- Improved efficiency of the entire system: with shared rationalization of tools and methods, you reduce your overall operating costs while improving efficiency. Global system information is directly available to improve the contextualization of the incidents, errors of interpretation are no longer possible, the complete processing chain is better mastered, etc.