Before visibility became the catchphrase for understanding what is going on in your IT environment, logging was the only source of truth. Like a ship’s log, IT logs are a record of what happened and when.
Logging is an essential activity for IT operations, but with the volume of data coming at us, we need a better way to view, review and analyze logs, and we need to know more than what logging alone can tell us.
Logging vs. visibility vs. observability
While the terms might seem interchangeable, there is a difference between visibility and observability.
Logging creates a documented record of events occurring in a system or network. Logging and monitoring are essential to any operations or cybersecurity plan. Properly monitored logs enable reactions to security events and logging allows for event reconstruction. Logs should be retained for as long as practical.
Visibility is a strategy for understanding and utilizing log data for improved security and understanding of the IT environment. Ideally, this data is gathered from multiple systems into one location to improve correlation and analysis. This helps drive innovation, big-picture thinking and better protection.
Observability is generally more focused on DevOps and the idea of providing development of the right kind of tools and features for logs, metrics and investigation. DevOps is built for speed, so security is crucial from conception to deployment. The DevOps team uses the discipline of observability to develop software for the operations environment that is clear and easy to follow from end to end.
Visibility and complexity challenge IT teams
Through hundreds of client engagements, two issues stand out as common challenges for IT teams of all sizes:
- Visibility: It’s impossible to react to something you can’t see.
- Complexity: If it’s too complex to understand quickly, it won’t matter if you can see it or not because you won’t know how to react or be able to do it soon enough to have any impact.
Digital environments drive the use of interconnected applications, systems and tools that lead to better collaboration, efficiencies and service delivery. But they also make visibility and complexity a bigger challenge and a vital part of the equation.
Before starting any new project, initiative or tool, look at it through the lenses of visibility and complexity. Not because it will stop you from moving forward, but because understanding the impact on each can help you counteract any undesired or unintended effects during project development.
It’s certainly possible that the value outweighs an increase in complexity or decrease in visibility, but you may also choose a different route or approach to achieve your goal. Don’t get caught up in tools and processes. Follow the adage and stay focused on the nail, not the hammer.
The role of visibility in security
Improving visibility is necessary for security practitioners to ensure they aren’t missing things they can’t see. Bad actors rely on staying hidden in the noise of logs, systems, tools, teams, processes and silos. The more we focus on cutting through the noise to get to the signal, the faster we can act, react or recover.
Is cloud visibility different?
Compute has become a commodity. What’s true for hybrid or on-prem is also true for cloud.
As compute, memory and storage continue to move to the cloud, complexity can increase while visibility may decrease. Data integration, maintenance and security remain part of the IT team’s responsibilities, regardless of where the data is stored or accessed. In this case, the cloud is the hammer and your data is the nail. And users only care that the bench you nailed together is comfy to sit on.
Your team’s involvement may vary by environment, and this is something your team needs to understand. Shadow IT, developers and end-users are now taking things into their own hands, but without the benefit of IT lessons learned.
Know where your data is and what data is important. Cloud security will differ some from your organization’s legacy IT and security. All of your teams—IT and others—need to be clear about protecting your data. IT services may differ, but the problem stays the same. Visibility, clarity and good documentation are still the difference between a hiccup and a front-page story.
Building a visibility strategy
Visibility must be a strategic part of every project, initiative or solution. Start with the core business problem to be solved. It doesn’t matter whether the request originates in IT or the business office, always work outwards from the desired result to visualize the potential impact to customers, coworkers, partners, vendors and business operations.
As you develop the larger picture of possible impacts, ask questions about how visibility may be affected. The four Ws and an H of Who? What? Where? Why? and How? are a good start. Are you trying to identify who is logging in, and from where? Or maybe you want to know what data they are accessing? Where are they accessing it from, and what are they doing with it? With a full, timely view of the issue, you can achieve the desired result without compromising other areas, including security.
Diagramming for visibility
The unsexy side of visibility—the side where you’ve moved past its buzzword popularity in the marketplace—starts with documentation. Visibility means bringing clarity to your IT infrastructure and data pipeline and, tedious as it sounds, means charting or diagramming your systems and their interconnectivity.
You may have a deer-in-the-headlights look right now. That’s okay, you’re not alone. Clients often have that look when asked about their systems’ flowchart. Because almost no one has a diagram. And if they do, it’s outdated, they can’t find it, or it’s been somebody’s pet project and may or may not be accurate.
It’s a Herculean task and one that is never done and almost impossible to keep current. With that in mind, consider diagramming current initiatives or projects under consideration. Draw a picture including everything touching the system, product or problem that you are working to solve.
It’s essential to include the user in this flowchart. After this exercise, you should know what data the user interacts with, how data of all types moves through your system, and the location of relevant logs. This helps you focus on solving the issue at hand while respecting your internal or external customers’ needs and gives you an understanding of whether visibility or complexity are improved or worsened.
Visibility from a solution
Without a current, comprehensive, digestible diagram of your ecosystem, the next best alternative is optimized visibility capabilities delivered as part of your security stack. The right option should bring data and logs from multiple security solutions into a single dashboard that uses analytics, visualizations and correlation of this data to help you quickly gain a big-picture view of the security of your environment.
While data and users move easily between cloud and on-prem environments, bridging the two can make security challenging. Look for a solution that helps you monitor and secure your data and users across your IT infrastructure, from cloud to on-prem, so you have the end-to-end visibility you need to reduce, detect and respond to security threats faster and easier.
Choosing a visibility solution
Visibility comes in several flavors in the security marketplace, so understanding the problem you need to solve becomes critical in selecting the visibility features you need. By better understanding visibility and its role in securing your project, system or application, you can better focus on the result you are looking for, rather than relying on vendors’ marketing messages.
Remember to treat visibility as a strategy for improving security, rather than a product feature. Cybersecurity offers plenty of real problems to solve and it’s valid to look for ways to improve but avoid being driven by vendor messaging. Fear, uncertainty and doubt (FUD) may drive lots of product sales, but it won’t work in your favor if you select a tool based on visibility alone.
Visibility should be part of the conversation when building your security stack. Make sure you understand how each tool in consideration fits into your visibility strategy. Asking these questions can help:
- What logs are created?
- How well does the solution track itself?
- How well does it maintain security?
- How will this tool be used?
- Does it fit into your visibility strategy?
Getting security visibility right
Developing a visibility plan is a big ask but the results matter. Get it right and you’re an IT hero; get it wrong and you’re the scapegoat. To gain another set of eyes to ensure that your visibility strategy aligns with your goals or for a different perspective, work with a trusted technology advisor or consultant.
More Info Provided By
Search, monitor and analyze data with Splunk. Splunk enables your organizations to simplify collecting, understanding and acting upon the untapped value of big data generated by your technology infrastructure, security systems, and business applications—giving you the insights to drive operational performance and business results.