Daily Archives: February 20, 2017

Charles Leaver – How You Can Prevent Operational Issues Becoming Security Problems

Published by:

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver


Get Back To Fundamentals With Hygiene And Avoid Serious Problems

When you were a child you will have been taught that brushing your teeth properly and flossing will prevent the need for pricey crowns and root canal procedures. Basic health is way simpler and far cheaper than disregard and disease. This very same lesson is applicable in the realm of enterprise IT – we can run a sound operation with correct endpoint and network hygiene, or we can deal with increasing security issues and disastrous data breaches as lax health extracts its difficult toll.

Operational and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we have created here at Ziften provide analytic insight into system operation across the enterprise endpoint population. They likewise provide endpoint derived network operation insights that substantially broaden on wire visibility alone and extend into cloud and virtual environments. These insights benefit both security and operations groups in significant ways, given the considerable overlap between functional and security concerns:

On the security side, EDR tools supply important situational awareness for incident response. On the operational side, EDR tools offer essential endpoint visibility for functional control. Critical situational awareness requires a baseline understanding of endpoint population operating norms, which understanding facilitates appropriate operational control.

Another method to explain these interdependencies is:

You can’t secure what you do not manage.
You can’t manage what you do not measure.
You cannot measure what you do not monitor.

Managing, measuring, and monitoring has as much to do with the security role as with the operational role, do not attempt to split the infant. Management indicates adherence to policy, that adherence should be determined, and functional measurements constitute a time series that must be tracked. A couple of sparse measurements of crucial dynamic time series does not have interpretive context.

Tight security does not make up for lax management, nor does tight management make up for lazy security. [Check out that once more for emphasis.] Objective execution imbalances here lead to unsustainable inefficiencies and scale difficulties that inevitably cause major security breaches and functional shortages.

Where The Areas Overlap

Substantial overlaps between functional and security issues include:

Configuration hardening and standard images
Group policy
Cloud management and application control
Network segmentation and management
Data security and file encryption
Asset management and device restore
Management of mobile devices
Management of logs
Backups and data restore
Vulnerability and patch management
Identity management
Access management
Worker continuous cyber awareness training

For instance, asset management and device restore in addition to backup and data restore are likely operational team responsibilities, but they become major security problems when ransomware sweeps the network, bricking all devices (not simply the typical endpoints, but any network connected devices such as printers, badge readers, security cams, network routers, medical imaging devices, industrial control systems, and so on). What would your enterprise response time be to reflash and refresh all device images from scratch and restore their data? Or is your contingency strategy to without delay stuff the aggressors’ Bitcoin wallets and hope they haven’t exfiltrated your data for more extortion and money making. And why would you unload your data restore duty to a criminal syndicate, blindly trusting in their perfect data restoration integrity – makes definitely zero sense. Operational control duty rests with the business, not with the enemies, and may not be shirked – shoulder your duty!

For another example, basic image construction using finest practices setup hardening is clearly a joint responsibility of operations and security staff. In contrast to ineffective signature-based endpoint protection platforms (EPP), which all large business breach victims have long had in place, configuration hardening works, so bake it in and constantly revitalize it. Also consider the needs of business personnel whose job function demands opening of unsolicited email attachments, such as resumes, invoices, legal notifications, or other required files. This should be performed in a cloistered virtual sandbox environment, not on your production endpoints. Security staff will make these decisions, but operations personnel will be imaging the endpoints and supporting the staff members. These are shared duties.

Example Of Overlap:

Use a safe environment to detonate. Do not utilize production endpoints for opening unsolicited but necessary email files, like resumes, invoices, legal notices, etc

Focus Limited Security Resources on the Tasks Just They Can Perform

Many large businesses are challenged to successfully staff all their security roles. Left unaddressed, deficiencies in functional effectiveness will stress out security staff so quickly that security roles will always be understaffed. There will not be enough fingers on your security team to jam in the multiplying holes in the security dike that lax or inattentive endpoint or network or database management creates. And it will be less hard to staff operational roles than to staff security roles with gifted experts.

Offload regular formulaic activities to operations personnel. Concentrate restricted security resources on the jobs only they can perform:

Staffing of the Security Operations Center (SOC)
Preventative penetration screening and red teaming
Reactive occurrence response and forensics
Proactive attack hunting (both external and insider).
Security oversight of overlapping functional roles (making sure existing security mindset).
Security policy development and stake holder buy-in.
Security architecture/tools/methodology design, selection, and advancement.

Enforce disciplined operations management and focus minimal security resources on important security roles. Then your business might prevent letting operations issues fester into security issues.