面对从一开始就围绕SOC的纷纷扰扰,作为SOC从业者的我也始终在寻找SOC的定位、运用场景、价值、效果和发展方向。站在当下,回首过去,看到的是一条SOC发展的曲折道路,是一条SOC中国化的路。眼望未来,又有很多的可能在向我们招手,选择哪种可能性,都必定不会顺畅。
在所有关于SOC(这里指安全管理平台)的是是非非中,一个很常见的问题就是:SOC到底是什么,能够给我解决什么问题?带来什么实际的效果?也许是业界同仁们经历了太多的失败,面对这个问题,大都显得很沮丧。
首先,我想说,正如我在探寻安全管理平台(SOC)项目的关键成功因素中提及的那样,这个问题是一个世界性的难题,是由于系统自身的技术特点,以及使用者(用户)的条件决定的。
一方面,安全管理平台的技术特点决定了这是一个复杂的系统,仅就收集异构IT资源的信息而言,其工作量就无法固化下来,且不论所有管理类软件的需求与功能模糊化的通病。另一方面,客户的客户条件也是一个问题,包括客户的期望、认知程度,以及客户单位的体制、流程和组织架构。
所有这一切,决定了安管平台不会像FW、IDS那样发展起来。
接下来,我想说,这个问题并不是不可解决的,这需要业界与客户的共同努力,需要这个市场的不断成熟。
就目前阶段而言,我认为,从系统和产品的角度来看,安管平台到底是什么?安管平台就是一个工具!一个帮助用户进行安全管理的工具!这个话至少表明:1)安管平台是手段和方式,不是安全管理的目标;2)这个工具是帮助用户而不是取代用户的,他是一个提升安全管理生产力的工具。
这就好比说安管平台是一把扫帚,而你拥有一把扫帚并不意味着你的房间就干净了,还需要你自己去打扫!扫帚可以更先进一些,成为吸尘器,但依然需要你自己去插电,去使用,否则房间不会自己干净的。
同理,安管平台就好比是一个相机,但并不意味着你有了相机就有好的照片了,还取决与你的拍摄技巧。即便他是一个傻瓜相机,那也需要你去拍!更加的,现在很多人并不喜欢傻瓜的,还偏偏要去买高级单反的,要自己去苦练和积累拍摄技巧。
所以说,有了安管平台不代表安全管理工作就做到位了,还需要使用、需要运维。使用安管平台是需要技巧的。你可以自己去学习,也可以雇人帮你用,那就叫购买服务。如果你自己要用好,可能还要建立相应的配套,包括组织、流程的配套,等等。这些也是属于服务的范畴。
如果你赞同我上述观点,我觉得接下来的问题就好办了。
从这个意义上说,我建议客户在安管平台立项的时候,可以有两种思路:一种是购买工具的思路。也就是说自己已经做了必要的各项准备工作,需要一个这样的工具来改进当前的安全管理工作。这个时候,问题的焦点就在于产品选型对比,就好比你去选择买什么样的扫帚,或者选购哪款相机。
另一种思路是把这件事当成一个建设项目来做。即不仅局限于购买工具,还包括购买工具配套的服务。很多管理类产品都有这个运作方式,例如ERP,OA,CRM等等,不是买了工具就OK的。这时候,你要认识到服务的价值,咨询师的价值、实施工程师的价值。甚至,你还可能对工具进行定制,包装,二次开发。等等等等。

总而言之,一般情况下,用户在听到安管平台后,总是会自然而然的想到他的效果,美化他的效果,而忽略了达成效果的途径,结果就是”希望越大、失望越大“。所以,我们一开始就要告诉客户,这玩意儿就是一个工具,用好了,才有可能达成效果。
所以说,对于用户而言,不仅要买对,还要用对。这要求可不低。尤其是当前很多用户还处于大量部署基础的单点安全防御设施的阶段的时候,更加不容易认识到这点。
正如我一直强调的,作为一个SOC售前顾问,咨询师,在给客户交流的时候,应该澄清这个问题,要帮助客户建立正确的对安管平台的认知。

最后,这里附上一篇文章,题目叫”ArcSight很难用吗?”这个文章表明,即便是最顶级的产品,如果没有用好,也没价值!
由于需要×××,我就直接贴过来,FYI。

Is ArcSight hard to use?

 

This is a question I have a tough time with and frankly drives me a little crazy. Actually, the question can be legit; its the various offshoots of the question implying ArcSight IS hard to use that I have trouble with. Outside of a conversation of GUIs and interface ease of use issues (which certainly can make a huge difference) I mainly have 2 thoughts about the whole thing.

The first is the question has weight really only while you are going through the process of picking out a SIEM. Once you have pulled the trigger you are stuck with whatever product was chosen; at least for a couple years simply because of cost. In that sense – square your shoulders and suck it up. All tools require you to get over a learning curve. This leads directly into the second thought.

Don’t whine about how hard something is to use if you never use it! Crazy thought chain here: more than occasional use leads to familiarity which leads to greater and greater ease of use not to mention better results. This obviously applies to more than just your SIEM. If you have tools in your cyber or garage tool chest that you never use why are you surprised when they are “hard to use” or you can’t get the results from them you would like.

Now, you will have to forgive me if that seems a little direct. I attended a Dave Ramsey EntreLeadership event which sort of inspires one to be so. At the same time I’m passionate about what I do; ArcSight is simply the tool by which I work on cyber stuffs. If you aren’t passionate about being in this industry or doing this sort of work….why the hell are you still doing it? I have heard things like “our product is easier to use than ArcSight” from a few of their various competitors (who also focus on only a segment of the events in the IT world or OSes out there) and have even heard “I wish ArcSight was easier to use” internally. In the interest of full discloser I have even said it myself a time or two. In my mind though the question and implication fall into a category similar to asking if driving a manual transmission car is hard; if riding a bike is hard, if working on a car, gutting a fish, or managing a firewall are hard things to do. Are you asking a qualitative or quantitative question here?

The overarching challenge isn’t ArcSight or your SIEM of choice being “hard to use” – generally speaking – it’s the mission and what is hoped to be accomplished through it. On top of that people generally are under the impression they bought something that is a cross between a magic 8 ball and one arm bandit. You ask the SIEM a question, shake it a little, pull the arm and out drops evidence to support something has or has not happened (always a fun thing to do – showing evidence of a null event). The reality is not only are you sucking in events from multiple and disparate systems and vendors but somehow are trying to make a correlation between apples and oranges…and grapes…and giraffes and monkeys. From a myriad of examples that could be used, tracking user movement and everything they did while at work is one of those conceptual goals that is (surprising to some) painful to achieve technically – even if you are in a ridiculously locked down environment. For almost two years I drove my truck with a busted fuel gauge so I used the trip meter on my odometer to estimate when I needed to visit the gas station. Take the complexity of that relationship and multiply it by 100 and you start to approach where SIEM begins to operate. Throw in a hundred million or several hundred million events per day and combine that with not devoting enough time and effort to the tool (not an uncommon story from what I have heard) and is it any wonder why “SIEM is hard” or you don’t get the performance you had hoped to get from your magic 8 ball-esque thing-a-ma-dubie?

Don’t get me wrong - ArcSight isn’t all gum drops and sunshine. Without spending more than a minute on it I can think of a half dozen things I would like it to be able to do, fixed, worked/reworked. But why be surprised or complain about ArcSight not being as good your vendor specific, single event type tracker when that isn’t the level at which it is designed to operate?

So whom am I talking to here? Me. You. Them. Probably “them” most of all.

Would be interested in your take on this.

Mark Runals' Blog, November 7, 2010