Cyber Observer – a powerful security dashboard that reminded me of an earlier time

The other day I received a note in LinkedIn from an individual I worked with back in EDS. He mentioned a company he is currently working for that is focused on security. Since security needs to be at the top of the list of concerns at all levels of organizations today, I thought I’d take a deeper look.

The software is called Cyber Observer (they have a fairly effective marketing overview movie on their site). Though this solution is focused on enterprise security monitoring, it reminded me of the data center monitoring programs that came out in the late 80s and 90s that provided status dashboards and information focused on reducing time to action for system events. CA Unicenter was one that was popular.

Back in the late 80s I had system administration leadership over the largest VAX data center that GM had. We had hundreds of VAXen, PDPs and HP 1000s of all sizes scattered over nine or ten plants. Keeping them all running required some significant insight into what was going on at a moments notice.

Fortunately, today folks can use the cloud for many of the types of systems we had to monitor, and the hardware monitoring is outsourced to the cloud providers. Plant floor systems are still an area that need to be monitored.

One of the issues we had keeping hundreds of machines running was that the flood of minor issues being logged and reported can easily lead to ‘alert fatigue’. Those responsible can loose the big picture (chicken little syndrome). Back then, we put a DECTalk in our admin area, when something really serious happened, it yelled at us until it was fixed. We thought that was pretty advanced for its time.

I asked how Cyber Observer handled this information overload concern. Since the software is primarily targeted at leaders/executives — we all know the attention span of most managers for technical issues. I also asked about a proactive (use of honeypots) vs. a reactive approach for the software. Now that both soft (HoneyD among others) and hard honeypots (Canary) are relatively easy to access, they should be part of any large organizations approach to security.

He explained that the alert and dashboarding system was very tunable at both the organizational and individual level.

Although it has more of a dashboard approach to sharing the information, details are available to show ‘why’ the concern reached the appropriate level.

An example he gave me was (for example) a new domain administrator being added in Active Directory. The score next to account management domain would go down and show red. When the user drills down, the alert would state that a new domain admin was added. The score in the system would be reduced and eventually the system baseline would adjust to the change although the score would remain lower. The administrative user would have to manually change the threshold or remove the new domain admin (if it is rogue or unapproved). Only then would the score would go back to its previous number (if no other events took place). Some threshold tolerances come preset out of the box based on expected values (for example if the NAC is in protect mode and not in alert mode, or if the Active Directory password complexity is turned-on — these scores are preset). Some thresholds are organizationally dependent and the user needs to set the proper thresholds as with the number of domain admins.

He also mentioned that if the system was connected to a honeypot that its information monitored the level of concern based on the shift of ‘background radiation’ was possible.

I don’t know much about this market and who the competitors are, but the software looked like a powerful tool that can be added to take latency out of the organizational response to this critical area. As machine learning techniques improve, the capabilities in this space should increase, recognizing anomalies more effectively over time. I was also not able to dig into the IoT capabilities that is a whole other level of information flow and concern.

The organization has a blog covering their efforts, but I would have expected more content since their hasn’t been a post this year.

Advertisements

Waste can be Good – it’s all relative

AbundanceAs businesses makes the transition to where the edge of the enterprise is wired into the operational processes of the business, we will start to consume our resources quite differently than we have in the past. We can use the abundance of computing capabilities to shed light on all the dark data currently available to develop a deeper contextual understanding of situations we encounter. Money may not be growing on trees, but there is much more we can be doing.

An article in Wired magazine back in 2009 discussed how: Tech Is Too Cheap to Meter: It’s Time to Manage for Abundance, Not Scarcity. In this world of exponential increases in capability, 2009 is ancient history, even so, the article is useful. It works through examples like how Alan Kay used the precious resources of the computer to display pictures on the screen instead of just textual data. George Gilder called this “wasting transistors” — making people more productive by using the transistors (computing capability) available.

The funny thing about waste is that it’s all relative to your sense of scarcity.

As we look to use higher levels of automation to handle more “normal” activities and focus people’s attention to turning anomalies into opportunities, we’ll use pattern recognition and other techniques that may appear to waste cycles. I hear people today complain about the expense of cloud computing and that it is out of control. That is more about what they use these resources for, how they measure impact and exercise control than anything to do with cost, at least from my perspective. As more capabilities become available and algorithms improve, we’ll need to do even more with more – not less.

The Wired article shows how behavior needs to change as we move from a perspective of scarcity to abundance:

From a perspective of Scarcity or Abundance

Scarcity Abundance
Rules Everything is forbidden unless it is permitted Everything is permitted unless it is forbidden
Social model Paternalism (We know what’s best) Egalitarianism (You know what’s best)
Profit plan Business model We’ll figure it out
Decision process Top-down Bottom-up
Organizational structure Command and control Out of control

This kind of shift in perspective is disruptive, useful and the right thing to do to take maximum advantage of a truly scarce resource – the human attention span.