Missed Opportunities with Machine Data
TOM FIELD: To start with, when it comes to the evolution of machine data, where do you believe that organizations are missing the opportunities to improve both security and the bottom line?
JEAN-FRANCOIS ROY: We found that, over time, these organizations start with a simple solution. They kind of forget how to keep them in track and aligned, and [they] end up with a bit of a broken model. We think that the initiative today has evolved through just collecting models to really building machine data management systems. We like to start with a centralization model and then gravitate towards more of a service-oriented model, and deliver that data to their constituents.
Deploying Technology Solutions
FIELD: What does a security organization have to do to change how it both views and deploys technology solutions?
ROY: We also encountered many security organizations that really have a hard time breaking out of their shell. It's very isolationist behavior - sometimes warranted for security reasons. They want to keep things under wraps and keep things under control. That causes issues when you're talking about business value. The way we approach the growth into that area of the business is to really try to get them to open up a little bit and allow the underlying IT organization to assume so that you don't necessarily own and manage everything, recreating the silos that really create that isolationist behavior that can be counterproductive from a business perspective.
FIELD: Coming back to this notion of business benefits, we talked about where organizations are missing opportunities. Where do you think they can find some opportunities for security to impact not just the bottom line?
ROY: We always want to go with the approach of the service-oriented model. We've heard in the news [the idea of] IT 3.0 and how that part of the organization has to evolve. I think that impacts the security group very directly. Our clients come to us and say, "How do I optimize this behavior?" We tell them to take the data, centralize it first, prevent those silos, and then start servicing these other relationships, whether it be the security group, compliance group, and also all the other constituents from a business perspective, from customer satisfaction and the customer service group.
More specifically for security, allow someone else to manage a lot of the data, the kind of day-to-day operations. Then focus on incident response, increased protection, intruders that pop in at the organization ... and leave the mundane management to the IT organization. It's kind of hard to get those groups to let go a little bit; but if they do, they can really spend the majority of their time in the areas they're most proficient.
Improving Transitions at Organizations
FIELD: Clearly this isn't just a switch that you can hit and you see it transform an organization. What do you see as the stages of transition an organization has to go through to get from point A to point B?
ROY: Depending on the organization you talk to, there's no one way of doing this. The first step is really to open up a little bit and get the organization to speak to each other. That's a good first step. We've encountered organizations where this is oil and water; they just don't play nice. The first thing is to do this so that you can let go of some of your responsibilities and really focus on what you're good at.
The second stage is to really empower the groups. Let the IT organization evolve into a service-oriented organization and then let your specialized business unit come back after the data they need, take action on it, and really collaborate together. Those are probably the two critical first steps to get to. After that, then it gets more down to the details. But those are probably the primary first steps that you want to take.
FIELD: You make it sound easy, and I know it can't be. What are the challenges you find organizations typically face along the way when they start to go through this transition? There must be some pushback.
ROY: Pushback is not a strong enough word. I think we get walls, almost wars that are happening. The first one that we see most times is really cultural. Some organizations, some security groups, have been doing things the same way for 20 to 30 years, and that's the way they've been doing things and that's the way it is. Like anything else, change is always a little bit scary. One thing we need to do is change the culture, bring them into the next generation of security practices and fight that battle on that side.
On the other side, the technical side of the equation, there are highly, highly complex systems.
What this causes is you need to hire very proficient engineers sometimes, or analysts, and those analysts are hard to come by. They're expensive, and they know it. That's the other problem with organizations, all the way down to who they hire, how many of them they need and the costs. It's going to justify the cost benefits to the business.
On the other side, because the tools are so complex, you need to hire specialized staff. The way we've approached this when consulting with our clients is, on the cultural side, you have to show their benefits. You have to show them the path that they don't like to do and highlight the fact that it goes away, and then they can really focus on the things they enjoy doing, which is incident investigation, forensics and response.
From a technical side, we try to consult them and steer them towards less complex solutions. They're out there; they have a bit more built in or a bit more content provided by the vendor. Try to stay away from the build-your-own approach where the tools are so flexible that you end up having to almost carry your own software organization to maintain and grow it, and that's really dangerous. We kind of approach these two angles one at a time and ultimately try to make a change.
Business Benefits
FIELD: You used the word "benefits." Ultimately, what are the business benefits organizations are going to achieve when they've gotten through this process?
ROY: One of the big ones, and I think it drives the isolationist behavior we've seen over the years, is risk management. These organizations, the security groups and the analysts, are a little bit paranoid, and that's okay. They're supposed to be. But sometimes they are to a fault that affects the business. By using a centralized system and putting a little bit of trust on the guys on the other side of the fence, we can control the risk management; we can manage it, control it and reduce it.
In thinking more, it's going to lower your costs. If you have to have the data in multiple places, you're going to pay duplicate storage costs, you're going to duplicate efforts and you're going to probably have several organizations with their own solution. Then, when you go into crisis mode where money is on the line, if the business services are down, you have to solve the problem as fast as you can. If you're not all looking at the same system with the same source of truth, you end up having a lot of arguments against "it's not me, it's you," "it's not you, it's me," and "my firewall is good, what's wrong with your application?" We try to mitigate that to lower that cost on the business.
The last one is where the top-line advantages are on customer satisfaction. Your customers spend more money with you, they stick around and you keep them longer. By optimizing those systems, by merging both security data and the IT data and managing it properly, we can reduce this time to resolution and bring up your customer satisfaction. That's one example of how we can benefit the top line.
Case Studies with Machine Data
FIELD: Let's talk about some of your customers. How have they made this evolution and what kind of results are they seeing today?
ROY: Many customers have done this in many ways, but I'll give you an example. For one of our clients, a large telco, what basically happened there is one of their directors saw an opportunity. In her organization, there were some problems, some we've highlighted at the beginning of the talk. She was really able to find a way to solve it through machine data management, through some of the next evolution and the way we manage the data. Once she did that, she started looking around and really paying attention, being on the lookout for similar problems she could solve with that solution she deployed internally in her own department. As she met with other leaders in her business, she was able to offer and broker those services, pulled into a service-oriented architecture, and go to the next business unit and say, "I can solve this problem for you," really taking on that side of the business. That's how she grew her governance, and established what was in this large organization in machine data management standards.
In fact, when new businesses come on, when acquisitions are made, there's a very clear standard of how you go about managing this data. It's all managed the same way; it's all owned by the same architecture. That really optimizes and allows them to solve problems even before they happen. You don't want to be reactive all the time. This model allows them to get ahead of it and prevent some of that wasted time, some of the exposed risk that they would otherwise be prone to.
Getting Started
FIELD: That's a great example, and I'm sure that there's not any one place that every organization should start this process. As a final question, where is the best place for an organization to begin this transition?
ROY: Number one is consolidation. Visibility is the key. If you can't see, if you don't have the information and all the fancy tools you have in the back end, you can't do anything. That would be the first step: establish your groundwork, establish your data acquisition infrastructure, centralize it and then start going out and asking for use cases to go to broker this data out and solve use cases. That's essentially the best place to start. Consolidation and a lot of visibility is the first step.