It’s impossible to ignore shrdlu’s posts; they’re entertaining and truthful. For instance:
They assume that security staff actually have CONTROL over their systems.
Most products are predicated on this assumption—here, just install this agent and you’re done. Put this on the single choke point in your network and you’re done. Just whitelist what users can install and you’re done.
I’ve always been unable to explain how larger organizations can implement some of these things (I’ve worked in SMBs). You have one choke point? Hell, even I have at least 4, let alone other networks I have to eat up span ports for. That’s either costly or a gigantic mess. You have the ability to install and/or configure things? I do, but I know if one mistake digs into Availability then I get reamed. When you work in both operations and security roles, you learn quickly which one is more important! My guess is enterprises don’t do it very well at all like I expect; they just have the budgets to throw money at the issues and enough mgmt layers to spread the pain and BS.
As shrdlu mentions, it’s not at all surprising that the more “successful” security products are the ones that watch the network or require the least pain (read: involvement by anyone else) overall. This is why I’m a very, very, very strong believer in Network Security Monitoring and perimeter control as always being a very important thing for security.
Oh, the title of this post alludes to the thought of what role should security have. Should it just be a SOC where they have no control or administration rights? Or should they be veritable corporate gods? In my opinion, it should be far towards the latter. They may not always get their way, but they should be able to be empowered to straighten crooked paths.