I spent a few days with a bunch of bankers in lower Manhattan this week. After the conference
(caucus? summit?) we headed for the bar. I ran into someone I've known for years, but worked with right after leaving the Navy in 2001. Over a couple of Guinness stouts, the conversation went from fun, back to business, but on this occasion, he mentioned the phrase "the God box." We hear so much from different vendors about the problems they solve, and in todays environment, it seems CISO's who've not yet really been exposed to what's happening in the dark corners of our infosec world, they're hearing the messages, watching the turnover in CISOs, and are either scared to death or totally confused by all of the crap reported in the news and vendor hype that takes full advantage.
The God box goes like this... My security box slices, it dices, it even juliens fries! It'll stop every think of coming into YOUR house, AND, it'll pour your coffee when you come to work in the morning. It offers long term predictive intelligence (not that you'll ever need it), and will call your mother on her birthday when you forget about it because you're so engrossed in dungeons and dragons (World of Warcraft? Farmville?) that everything else passes you buy; because you've got so much time on your hands while you wait for your layoff notice because you've not had to lift a finger to protect your network since this new system was delivered, installed, and it took over full operation of your networks, authentication, logging, analysis, blah, blah, blah. This box is freak'n amazing.
So the question is this... if that box is so good, why aren't you using it to predict the stock market?
We see SOOO many vendors out there exploiting fear uncertainty and doubt, overcharging for their otherwise lackluster wares; over-promising and under-delivering, or worse, with so much complexity that you couldn't even begin to scratch the surface of its capabilities. I once had someone tell me that Arcsite is the most expensive SMTP gateway they'd ever owned. It's not because Arcsite is a bad product (I don't believe for a second that it is) but that it requires specialized training to be able take advantage of the amazing capabilities that come with it.
Interestingly enough, much of what many of these guys promise can be done on your own --including what we do (although, we try really hard to do it better than you could on your own!). All I'm saying is this... there is no God box. Put your filters on and don't believe everything you hear. Pick a few great tools (open source, commercial, home grown, whatever!), but pick them based on the needs in your environment. Haven't started? Set up a Bro box, a Security Onion ISO, or another favorite tool, connect it to a great intel source (ours is inexpensive and easy to hit, or again, choose your favorite). Watch the outputs and do the initial diagnosis. Pick tools based on what you need to move to the next step. Don't swallow the elephant whole at first, rather look for tools that can help create your plan. Need help? There are tons of places to find that too.
Our favorite diagnostic tools? We're huge fans of Bro and Security Onion. Prefer commercial? Try Countertack. Want a Managed Security Service? Red Canary just started integrating Threat Recon, or for the broader spectrum MSSP, try AT&T, Solutionary, Morphick, or Alert Logic.
Bottom line: There are some very cool options out there. None are the God box. Nor is there a simple green light that you can watch flicker, turn red temporarily, and then back to green when the thing mitigates the risk... it doesn't exist. Brains exist. Good intel exists. Critical thinking exists. And most of all? Common sense exists.