With multiple security tools in place, how do you determine what’s working and what isn’t? How do you justify the expenditure by showing that every tool in your arsenal is doing its job?
Of course, there’s one very good indicator of whether your security systems are working: whether your systems get broken into or not. The question is “was I impacted when my peers and colleagues were?” says Branston.
Monitoring the alerts the various tools generate is a good way to see how many problems they’re preventing, Zasada says, and log files are invaluable for this purpose.
Casale says security management consoles like Intellitactics’ can also help, thanks to reports that help the security manager see what each security tool in his or her arsenal is picking up. “If you’re trying to look at the effectiveness of your antivirus, you can run reports on all the anomalies generated by your antivirus. You can run reports on all the alerts generated by your IDS system.”
Such reports can also indicate when security controls need to be tightened or relaxed, Casale says, and help the security administrator see how long incidents take on average to be resolved.
If a tools isn’t performing, it may need some adjustments. Few security tools do everything a given enterprise wants straight out of the box, Wolynski points out – they need configuration and ongoing fine-tuning, not to mention proper user training to take full advantage of their capabilities.