Monthly Archives: February 2017

Charles Leaver – Never Allow Operational Issues To Become Problems For Security

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

 

Return to Fundamentals With Hygiene And Avoid Serious Problems

When you were a kid you will have been taught that brushing your teeth appropriately and flossing will avoid the requirement for costly crowns and root canal treatments. Fundamental hygiene is way much easier and far less expensive than disregard and illness. This exact same lesson is applicable in the world of business IT – we can run a sound operation with proper endpoint and network health, or we can deal with mounting security problems and devastating data breaches as lax health extracts its burdensome toll.

Operational and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we have created here at Ziften offer analytic insight into system operation throughout the enterprise endpoint population. They likewise offer endpoint-derived network operation insights that considerably expand on wire visibility alone and extend into cloud and virtual environments. These insights benefit both operations and security teams in substantial ways, given the significant overlap between functional and security concerns:

On the security side, EDR tools supply crucial situational awareness for incident response. On the functional side, EDR tools provide essential endpoint visibility for operational control. Critical situational awareness demands a baseline understanding of endpoint population operating norms, which comprehending facilitates appropriate functional control.

Another way to express these interdependencies is:

You can’t secure what you do not manage.
You can’t control what you don’t measure.
You cannot measure what you do not track.

Managing, measuring, and tracking has as much to do with the security role as with the operational role, do not aim to split the baby. Management indicates adherence to policy, that adherence needs to be measured, and functional measurements make up a time series that must be tracked. A few sporadic measurements of crucial dynamic time series does not have interpretive context.

Tight security does not compensate for lax management, nor does tight management compensate for lazy security. [Read that again for emphasis.] Mission execution imbalances here result in unsustainable ineffectiveness and scale challenges that undoubtedly result in major security breaches and operational shortages.

Where The Areas Overlap

Substantial overlaps between operational and security issues consist of:

Setup hardening and standard images
The group policy
Cloud management and application control
Management of the network including segmentation
Security of data and encryption
Asset management and device restoration
Management of mobile devices
Log management
Backups and data restore
Vulnerability and patch management
Identity management
Access management
Worker continual cyber awareness training

For instance, asset management and device restore as well as backup and data restore are likely operational team obligations, but they end up being significant security problems when ransomware sweeps the enterprise, bricking all devices (not just the typical endpoints, however any network connected devices such as printers, badge readers, security cameras, network routers, medical imaging devices, commercial control systems, etc.). What would your enterprise response time be to reflash and refresh all device images from scratch and restore their data? Or is your contingency strategy to promptly stuff the aggressors’ Bitcoin wallets and hope they have not exfiltrated your data for more extortion and money making. And why would you unload your data restoration duty to a criminal syndicate, blindly trusting in their perfect data restoration stability – makes definitely no sense. Functional control responsibility rests with the enterprise, not with the opponents, and may not be shirked – carry out your duty!

For another example, standard image construction using finest practices setup hardening is plainly a joint responsibility of operations and security personnel. In contrast to inefficient signature-based endpoint protection platforms (EPP), which all big business breach victims have long had in place, setup hardening works, so bake it in and constantly revitalize it. Also consider the needs of business personnel whose job function needs opening of unsolicited email attachments, such as resumes, invoices, legal notifications, or other required files. This should be carried out in a cloistered virtual sandbox environment, not on your production endpoints. Security staff will make these decisions, but operations personnel will be imaging the endpoints and supporting the workers. These are shared duties.

Overlap Example:

Detonate in a safe environment. Don’t utilize production endpoints for opening unsolicited however needed e-mail files, like resumes, billings, legal notifications, etc

Concentrate Limited Security Resources on the Jobs Only They Can Carry out

A lot of large businesses are challenged to successfully staff all their security roles. Left unaddressed, deficiencies in operational effectiveness will stress out security staff so rapidly that security functions will always be understaffed. There won’t be enough fingers on your security team to jam in the multiplying holes in the security dike that lax or neglectful endpoint or network or database management produces. And it will be less difficult to staff operational roles than to staff security roles with gifted experts.

Transfer routine formulaic activities to operations personnel. Concentrate restricted security resources on the jobs only they can carry out:

Staffing of the Security Operations Center (SOC)
Preventative penetration screening and red teaming
Reactive event response and forensics
Proactive attack searching (both external and insider).
Security oversight of overlapping functional roles (ensure existing security frame of mind).
Security policy development and stake holder buy-in.
Security architecture/tools/methodology design, selection, and development.

Impose disciplined operations management and focus limited security resources on important security roles. Then your business might avoid letting operations concerns fester into security problems.