If you can imagine a group of security technologists sharing hand-scribbled drawings back and forth over webcams, then you have a pretty good idea how I spent the past hour. The focus of this scribbling involved how to enable visibility of relevant activity in support of enterprise cyber security. My partners in crime were Mike McKee and his team at ObserveIT, a cyber start-up that knows a thing or two about this topic.
Two questions we wrestled with were as follows: First, what does it mean today for an enterprise cyber security team to have sufficient visibility into meaningful activity to properly manage risk? And second, with the evolution of most businesses to virtual workload-based cloud services, what will it mean in the coming years for an enterprise team to have sufficient visibility, perhaps remote, to manage cyber risk?
Both questions begged a taxonomy of visibility options – and we inevitably began drawing circles. My initial attempt was to draw a simple universe of activity that included two circles marked visible and invisible. It makes me gulp that whereas today’s concept of invisible activity is called Shadow IT, tomorrow’s view of invisible activity might be normal employee use of public cloud. That is quite a change.
The second round of drawings involved digging deeper into the categories. We eventually agreed that three categories emerge when security teams dip their ladle into the visibility circle: First, visible actions can offer insights to enable business. Second, visible actions can offer detection of indicators to enable security. And third, visible actions can be meaningless, offering neither insight nor detection.
We all liked this simple taxonomy, because it provides four distinct categories of relevant visibility: First, there is relevant, but invisible activity, which should be minimized. Second, there is insightful visibility, which should be maximized. Third, there is indicator-detecting visibility, which should be maximized. And finally, there is visible, but useless information, which should be minimized.
So, here is my question: Are these the correct categories? Are we missing something in the taxonomy? I am honestly tempted to incorporate these views into my writing and lecturing, but the result seems so simple – perhaps even obvious – that I wonder why I haven’t noticed this before. And my belief is that with transition to hybrid cloud enterprise, the notion of visibility becomes one of the main primitives in our discipline.
Please provide your thoughts below. Are there other categories of visibility? Does the taxonomy cover the right cases? Is it a sufficient base for CISOs to write requirements for next generation UEBA, SIEM, network monitoring, and the like? Would you make changes to the taxonomy – either as additions or as fundamental changes? I’d sure like to know, and I know the ObserveIT team would appreciate your input as well.
Thanks in advance for commenting!