Q&A: Software-as-a-Service and Threat Management

Misha Govshteyn is the CTO and responsible for security strategy, security research and operations at Alert Logic. In this interview he discusses Software-as-a-Service (SaaS), log management, compliance, threat management and more.

Why is the Software-as-a-Service (SaaS) model a good fit for log management?
Software-as-a-Service is a perfect model for non-business critical problems that are too messy to be solved on premise. People don’t realize this, but the biggest SaaS company today is Google. No one wants to store terabytes of search data just to find a web site for a car wash. Same goes for log management. No one is going to make more money because they retain a complete archive of logs for the last 12 months or 7 years. But it still has to be done. Compliance requires it and it’s hugely important for forensics. And while it may not contribute to earnings, it has real potential to prevent losses. How different would ChoicePoint investigation have been if they had retailed their full audit trail? Would the breach have been detected faster? The answer is, yes. Absolutely.

Log Management requires storage, databases and computing capacity that most companies are not prepared to deal with. The cost of buying storage is dwarfed by the amount of money and effort required to manage that storage and the amount of data increases every day as people collect more logs. Suddenly they have a lot more storage they need to manage and backup than they expected originally. Products they bought just a year ago begin to look inadequate. SaaS takes that entire problem offsite. Why bother thinking about how to manage all that complexity when you can just subscribe to software that has storage built into it?

Another interesting point is stranded capacity. There is a log management company out there that sells you 5-6 servers that run as a grid attached to a SAN. Their product is very fast, but most of the time those appliances sit idle and burn power. Truth is that most of the time you will not be searching through a huge archive of logs, so the computing capacity and power is essentially wasted until you actually need it. When you buy traditional software you are, in fact, contributing to global warming. With SaaS, you’re saving the world. Log Management under the SaaS model allows you to change the economics in a very powerful way. Customers are starting to figure that out and as soon as word gets out old school software will never seem quite the same.

What has been your biggest challenge as the CTO of Alert Logic?
In many ways my challenges mirror very closely those of my customers. How do I interpret mounting regulatory requirements and translate them into real-world processes that satisfy the auditors while making my network secure? Security and compliance should follow the same path, but the ambiguous nature of regulations often forces CIOs to choose one or over the other. Many of the customers I talk to find that all their resources are tied up in implementing compliance controls only useful during an audit, but fail to add much to practical security.

What do you see your customers most worried about?
We spent years helping people lock down their networks and make them more resilient to network worms and attacks. We still do, but availability anxiety has been replaced with liability anxiety. There are two classes of customers we work with.

IT managers that always cared about security and improved their posture every year and are now worried about being able to prove that they show enough due care as to not be exposed to a lawsuit or punitive action, should a breach happen in the future. That requires more than just an enthusiastic security effort, it also requires processes and workflow management tools. The shops that have always been good about security are now becoming more mature about how they secure their business.

Then there are businesses that, for whatever reason, have not spent as much time on security as they should have in the past and are playing catch up. Sometimes it’s because they grew too fast. When a business grows, security is often the last consideration. More often than not, these IT managers wanted to do the right thing, but could not get the budget approved. These customers are universally worried about getting the most comprehensive solution they can find for the money.

Surprisingly, we do not see that our customers are worried about a specific threat or risk vector. Web application security is gaining a lot of attention, as it should, but I sense that its being propelled by the PCI standard, which made web security assessments mandatory this year. I think that’s a huge step forward.

In your opinion, how much resources should an SMB deploy when it comes to threat management?
As few as possible. If you listen to industry experts and press, you get an idea that IT leaders must push their businesses managers to allocate a larger portion of their IT budget for threat management and security in general. I have a somewhat unusual position on that – I think most businesses already allocate enough budget to security efforts. Now, do they get a real return for their money? Not even close.

You can do more with a single well configured IDS or Log Management product that provides real value, than a garbage truck worth of security appliances sold to businesses in the name of “defense in depth”. Businesses spend inordinate portion of their budget on security products, but pay very little attention to how they use those solutions. Anyone that has an IPS system serving as a doorstop or a SIM collecting dust on a shelf should consider drastically changing their approach. Find a solution that may not have as many bells and whistles but is easy to deploy and easy to use. SaaS solutions tend to fall into this category, but there are plenty of capable traditional solutions as well. Then spend the remainder of your budget making sure your staff are ready to respond to situations that contribute the business risk.

A single security admin that pays attention to one product will be infinitely more useful than a whole security team overwhelmed by a dozen sources of data that must be analyzed every day.

Compliance is certainly strengthening the overall security of organizations worldwide, yet we are still plagued by a variety of security risks. What should the CTO pay special attention to?
I don’t expect that to change – security risks are a fact of life. They will continue to evolve and will always be a factor for any business. There are two things I’d recommend for every CTO and CIO out there:

1. Don’t assume that SANS or PCI Council or Bruce Schneier can tell you what your top risks are. Risks are always going to be unique to your environment and depending on the business you are in they may not even be entirely network related. Focus on risks that have the most impact on your business, otherwise you will always be chasing your own shadow. Analysis of top risks affecting your business should be a regular process in your ongoing business planning. Get your organization used to the idea that managing information risk is something as natural as planning your budget.

2. I’d pay special attention to the readiness of your security team. While I do not believe security should be managed internally, there always has to be an internal team that understands security, technology and your business. Companies that use MSSPs are especially sensitive to this – often outsourcing is seen as a green light to drop your guard. Truth is that in a triage situation, when fast response and well thought out action matters, no service provider can really be a surrogate for well prepared staff. Only the people who can truly understand business risk should handle response to critical situations. Have the roles assigned, procedures reviewed and incident response plans tested before something happens. Make sure the communication, command and control paths are crystal clear. This could mean the difference between full breach or data leak, or a close call.

With the constant evolution of threats, what kind of technology challenges does Alert Logic face?
Integration with other vendors and data sources is right at the top of the list. The software-as-a-service model opens up very unique opportunities that security products have not began to leverage. Everyone knows what mashups are – you take a Google map and blend it with LinkedIn. It’s not rocket science. But what if you could do the same with SaaS security products? Geolocation, reputation services, identity awareness come to mind. Possibilities are endless.