Chuck Leaver – Here Is How To Stop Operational Problems Becoming Security Problems

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver

 

Return to Fundamentals With Hygiene And Avoid Serious Problems

When you were a kid you will have been taught that brushing your teeth properly and flossing will avoid the requirement for expensive crowns and root canal procedures. Basic hygiene is way easier and far cheaper than overlook and illness. This exact same lesson is applicable in the world of business IT – we can run a sound operation with proper endpoint and network health, or we can deal with increasing security problems and disastrous data breaches as lax health extracts its onerous toll.

Functional and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we develop here at Ziften provide analytic insight into system operation throughout the business endpoint population. They also supply endpoint derived network operation insights that considerably broaden on wire visibility alone and extend into virtual and cloud environments. These insights benefit both security and operations teams in considerable ways, provided the significant overlap between operational and security concerns:

On the security side, EDR tools provide critical situational awareness for incident response. On the functional side, EDR tools supply important endpoint visibility for functional control. Crucial situational awareness demands a baseline understanding of endpoint population operating standards, which understanding facilitates appropriate operational control.

Another way to express these interdependencies is:

You cannot protect what you don’t manage.
You can’t manage what you do not measure.
You cannot measure what you do not monitor.

Managing, measuring, and tracking has as much to do with the security function as with the operational role, do not try to split the child. Management means adherence to policy, that adherence must be measured, and functional measurements constitute a time series that need to be monitored. A few sparse measurements of vital dynamic time series lacks interpretive context.

Tight security does not make up for ineffective management, nor does tight management make up for ineffective security. [Check out that once more for focus.] Objective execution imbalances here result in unsustainable inadequacies and scale difficulties that inevitably cause significant security breaches and functional shortages.

Areas Of Overlap

Substantial overlaps between operational and security issues include:

Configuration hardening and basic images
The group policy
Application control and cloud management
Network segmentation and management
Data security and file encryption
Asset management and device restoration
Mobile device management
Log management
Backups and data restoration
Vulnerability and patch management
Identity management
Access management
Staff member continuous cyber awareness training

For instance, asset management and device restore in addition to backup and data restoration are most likely operational group obligations, but they end up being major security headaches when ransomware sweeps the network, bricking all devices (not just the normal endpoints, but any network attached devices such as printers, badge readers, security cameras, network routers, medical imaging devices, industrial control systems, and so on). What would your enterprise response time be to reflash and refresh all device images from scratch and restore their data? Or is your contingency strategy to immediately stuff the assailants’ Bitcoin wallets and hope they have not exfiltrated your data for further extortion and money making. And why would you offload your data restoration responsibility to a criminal group, blindly relying on their perfect data restoration integrity – makes absolutely no sense. Operational control duty rests with the enterprise, not with the attackers, and should not be shirked – shoulder your responsibility!

For another example, basic image construction utilizing best practices configuration hardening is clearly a joint obligation of operations and security staff. In contrast to inadequate signature-based endpoint protection platforms (EPP), which all large enterprise breach victims have long had in place, setup hardening works, so bake it in and continually revitalize it. Also consider the needs of enterprise staff whose job function demands opening of unsolicited email attachments, such as resumes, billings, legal notices, or other required files. This should be carried out in a cloistered virtual sandbox environment, not on your production endpoints. Security staff will make these determinations, however operations personnel will be imaging the endpoints and supporting the employees. These are shared duties.

Example Of Overlap:

Use a safe environment to detonate. Don’t use production endpoints for opening unsolicited however required e-mail files, like resumes, billings, legal notices, and so on

Focus Limited Security Resources on the Tasks Only They Can Perform

The majority of large businesses are challenged to effectively staff all their security roles. Left unaddressed, deficiencies in operational effectiveness will stress out security staff so quickly that security functions will constantly be understaffed. There won’t be enough fingers on your security team to jam in the increasing holes in the security dike that lax or neglectful endpoint or network or database management develops. And it will be less difficult to staff operational roles than to staff security functions with talented experts.

Offload regular formulaic activities to operations personnel. Concentrate minimal security resources on the jobs only they can carry out:

Security Operations Center (SOC) staffing
Preventative penetration screening and red teaming
Reactive occurrence response and forensics
Proactive attack searching (both insider and external).
Security oversight of overlapping operational roles (guarantees present security state of mind).
Security policy development and stake holder buy-in.
Security architecture/tools/methodology design, selection, and advancement.

Impose disciplined operations management and focus restricted security resources on vital security roles. Then your enterprise might prevent letting operations issues fester into security issues.