Charles Leaver – Prevent Security Issues That Stem From Operational Problems

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Return to Basics With Hygiene And Avoid Serious Problems

When you were a kid you will have been taught that brushing your teeth effectively and flossing will avoid the need for costly crowns and root canal procedures. Fundamental hygiene is way much easier and far less expensive than neglect and disease. This same lesson is applicable in the world of enterprise IT – we can run a sound operation with appropriate endpoint and network health, or we can deal with mounting security issues and dreadful data breaches as lax health extracts its burdensome toll.

Functional and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we develop here at Ziften supply analytic insight into system operation throughout the enterprise endpoint population. They also offer endpoint derived network operation insights that substantially broaden on wire visibility alone and extend into cloud and virtual environments. These insights benefit both operations and security teams in considerable ways, provided the substantial overlap between functional and security concerns:

On the security side, EDR tools offer important situational awareness for event response. On the operational side, EDR tools provide important endpoint visibility for operational control. Critical situational awareness requires a baseline comprehension of endpoint population running norms, which understanding facilitates appropriate operational control.

Another way to express these interdependencies is:

You cannot secure what you do not manage.
You cannot manage what you don’t measure.
You cannot measure what you do not track.

Managing, measuring, and tracking has as much to do with the security function as with the operational role, do not aim to divide the child. Management indicates adherence to policy, that adherence must be measured, and operational measurements constitute a time series that must be monitored. A couple of sparse measurements of important dynamic time series lacks interpretive context.

Tight security does not make up for lax management, nor does tight management make up for ineffective security. [Read that again for focus.] Objective execution imbalances here result in unsustainable inadequacies and scale challenges that inevitably lead to major security breaches and functional deficiencies.

Overlap Areas

Substantial overlaps between operational and security issues include:

Configuration hardening and standard images
Group policy
Application control and cloud management
Management of the network including segmentation
Data security and file encryption
Management of assets and device restore
Mobile device management
Log management
Backup and data restore
Patch and vulnerability management
Identity management
Access management
Staff member consistent training for cyber awareness

For instance, asset management and device restore along with backup and data restoration are likely functional group obligations, but they end up being significant security problems when ransomware sweeps the enterprise, bricking all devices (not simply the usual endpoints, but any network attached devices such as printers, badge readers, security cameras, network routers, medical imaging devices, industrial control systems, etc.). Exactly what would your business response time be to reflash and refresh all device images from scratch and restore their data? Or is your contingency strategy to without delay pack the opponents’ Bitcoin wallets and hope they have not exfiltrated your data for additional extortion and money making. And why would you offload your data restore duty to a criminal syndicate, blindly relying on their perfect data restoration stability – makes definitely no sense. Operational control duty rests with the business, not with the attackers, and should not be shirked – shoulder your duty!

For another example, basic image building utilizing best practices setup hardening is clearly a joint duty of operations and security staff. In contrast to inefficient signature based endpoint protection platforms (EPP), which all big enterprise breach victims have long had in place, configuration hardening works, so bake it in and continually revitalize it. Likewise think about the requirements of enterprise staff whose job function needs opening of unsolicited email attachments, such as resumes, billings, legal notices, or other needed documents. This must be performed in a cloistered virtual sandbox environment, not on your production endpoints. Security personnel will make these decisions, but operations personnel will be imaging the endpoints and supporting the employees. These are shared obligations.

Overlap Example:

Use a safe environment to detonate. Don’t utilize production endpoints for opening unsolicited but necessary e-mail documents, like resumes, billings, legal notifications, and so on

Focus Limited Security Resources on the Tasks Just They Can Perform

The majority of big enterprises are challenged to successfully staff all their security functions. Left unaddressed, deficiencies in functional effectiveness will burn out security staff so quickly that security functions will constantly be understaffed. There will not sufficient fingers on your security team to jam in the increasing holes in the security dike that lax or inattentive endpoint or network or database management produces. And it will be less tough to staff operational functions than to staff security roles with gifted analysts.

Offload regular formulaic activities to operations staff. Concentrate limited security resources on the jobs just they can perform:

Staffing of the Security Operations Center (SOC)
Preventative penetration screening and red teaming
Reactive event response and forensics
Proactive attack hunting (both insider and external).
Security oversight of overlapping functional roles (ensure current security mindset).
Security policy advancement and stake holder buy-in.
Security architecture/tools/methodology design, choice, and advancement.

Implement disciplined operations management and focus minimal security resources on important security roles. Then your enterprise may prevent letting operations concerns fester into security problems.