This post is part of a multi-part series about the Securosis Guide to the RSA Conference (download the RSAC-G PDF). Please scroll to the bottom for links to other posts in the series.
For better or worse, a bunch of the Securosis team have become endurance athletes. Probably more an indication of age impacting our explosiveness, and constant travel impacting our respective waistlines, than anything else. So we're all too familiar with the concept of 'bonking': hitting the wall and capitulating. You may not give up, but you are just going through the motions.
Sound familiar to you security folks? It should. You get bonked over the head with hundreds or thousands of alerts every day. You can maybe deal with five, and that's a good day. So choosing the right five is the difference between being hacked today and tomorrow. This alert fatigue will be a key theme at RSA Conference 2015. You'll see a lot of companies and sessions (wait, there are sessions at RSAC?) talking about more actionable alerts. Or increasing the signal to noise ratio. Or some similarly trite and annoying terminology for prioritization.
These vendors come at the problem of prioritization from different perspectives. Some will highlight shiny new analytical techniques (time for the Big Data drinking game!) to help you figure out which attack represents the greatest risk. Others will talk about profiling your users and looking for anomalous behavior. Yet another group will focus on understanding the adversary and sharing information about them. All with the same goal: to help you optimize limited resources before you reach the point of security bonk.
To carry the sports analogy to the next step, you are like the general manager of a football team. You've got holes all over your roster (attack surface) and you need to stay within your salary cap (budget). You spend a bunch of money on tools and analytics to figure out how to allocate your resources, but success depends more on people and consistent process implementation. Unfortunately people are a major constraint, given the limited number of skilled resources available. You can get staffers through free agency (expensive experienced folks who generally want long-term deals) or draft and develop talent, which takes a long time.
And in two years, if your draft picks don't pan out or your high-priced free agents decide to join a consulting firm, you get fired. Who said security wasn't like life? Or the football life, anyway!
—Mike Rothman, Analyst & President, Securosis
Check out other posts in the series: Introduction
Theme posts: Change; Internet of Things; Professionalism; Compliance; Big Data; Bonk; DevOps
Coverage Area Deep Dives: Overview; Endpoint Security; Network Security; IAM; Cloud Security; Data Security; Security Management;
Download your copy of RSAC-G