This past weekend was a long holiday weekend due to Thanksgiving Day in the US. For many people, there are 4 big traditions that go along with this:
- Watching the Macy’s Thanksgiving Day parade;
- Eating too much turkey at Thanksgiving dinner;
- Shopping like crazy on Black Friday (I mentioned Black Friday in my last post); and
- Watching ridiculous amounts of football on television (that’s American Football, not “rest of the world Football”, by the way).
The problem with the football thing is that there are so many games on during the 4-day weekend that there is no possible way you can watch every play of every game – there aren’t enough hours in the day, even if you have a boatload of DVR storage.
That aspect of football got me thinking about how the same thing is true in infosec: no matter how much you may want to, you can’t watch every security event that happens all the time – you’re destined to miss some things.
But I want to watch every football game – what can I do?
Just as the challenges of paying attention to “overwhelming amounts of football” correlate to paying attention to “overwhelming numbers of security events,” I think the solutions to both problems align pretty well, too. Here is what I recommend:
Prioritize and pay attention to what’s most important first
For me, the number one priority in football games this weekend was watching the LSU vs. Arkansas game, since I am an LSU fan and wanted to make sure I saw them end their seasons with 12 wins and no losses (they did – Geaux Tigers!) I not only made sure I was home for this game, I also had my DVR set to record this game (and the show after it, in case it went long). That way I can skip commercials, run to the store, etc. and still not miss any of the action. And yes, I made sure I watched every play of that game.
In infosec, this means paying the most attention to the security events (system state changes, suspicious traffic, weird logins, etc.) that relate to your most critical business assets and data. You’d better make sure you know exactly what’s going on with the most critical parts of your IT ecosystem – all the time. But you don’t have to pay as much attention to other systems that are less important.
Use analysis and automation to show you what’s important about the things that aren’t your top priority
In the football world, I rely on ESPN’s SportsCenter and similar programs to analyze the games I didn’t watch, then show me the highlights (good and bad), as well as provide context about controversy surrounding the games so I can understand what’s happening across the rest of the football world.
In infosec, this means using automated analysis (like configuration assessments, vulnerability scans, event correlation, etc,) as well as human analysis to bring your attention to the most interesting or important security events happening in your world.
In both cases, this decreases the likelihood you’ll miss something you really wish you’d have seen.
Record everything you can – just in case
Even if you know you can’t watch every game, it can be comforting to record a bunch of different football games on your DVR. You can always erase them later, if you want. But it’s comforting to know that you can go back and watch them if your expert analysts tell you “you really should have seen the ________ game!” Or I might just want to see how the University of Oregon Ducks did so I can be informed enough for water cooler talk, even though the only Ducks game I really cared about was their season opener against LSU…
In infosec there is also latent value in recording lots of stuff – system state, network events, file changes, packets, etc. The more you record, the more data you’ll have available in case you later realize that you should have looked at the events or changes the first time around (such as in a breach you discovered after-the-fact — this is what forensics is all about, after all).
Recordings are handy even if you happen to be watching the event live – after all, it’s pretty common for me to rewind the LSU game to re-watch an interesting play, or show an amazing play to someone who was out of the room at the time. The same concept applies to security events.
These are just a few examples of some of the parallels I see between football and infosec, and both infosec and football require a couple of critical precursors:: start with prioritization and planning, then invest your resources so you optimize for what’s most important.
What about you – any other parallels you see?