Don’t Let Issues That Are Operational Lead To Security Headaches – Chuck Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


Get Back To Essentials With Health And Avoid Serious Issues

When you were a child you will have been taught that brushing your teeth properly and flossing will prevent the requirement for pricey crowns and root canal procedures. Basic hygiene is way much easier and far cheaper than overlook and disease. This exact same lesson applies in the realm of enterprise IT – we can run a sound operation with correct endpoint and network health, or we can face increasing security problems and disastrous data breaches as lax hygiene extracts its onerous toll.

Functional and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we have created here at Ziften offer analytic insight into system operation across the business endpoint population. They also supply endpoint derived network operation insights that considerably expand on wire visibility alone and extend into cloud and virtual environments. These insights benefit both operations and security teams in significant ways, given the significant overlap between functional and security issues:

On the security side, EDR tools offer crucial situational awareness for event response. On the functional side, EDR tools offer vital endpoint visibility for functional control. Important situational awareness demands a baseline comprehension of endpoint population running standards, which understanding facilitates appropriate operational control.

Another method to explain these interdependencies is:

You cannot secure what you do not manage.
You cannot manage what you do not measure.
You can’t measure what you do not track.

Managing, measuring, and tracking has as much to do with the security function as with the operational role, don’t aim to divide the infant. Management indicates adherence to policy, that adherence needs to be measured, and operational measurements constitute a time series that need to be monitored. A few sporadic measurements of critical dynamic time series lacks interpretive context.

Tight security does not make up for lazy management, nor does tight management compensate for lazy security. [Read that again for emphasis.] Objective execution imbalances here lead to unsustainable inadequacies and scale difficulties that inevitably cause significant security breaches and operational deficiencies.

Where The Areas Overlap

Substantial overlaps between operational and security problems consist of:

Configuration hardening and basic images
The group policy
Application control and cloud management
Network division and management
Data security and encryption
Management of assets and device restoration
Management of mobile devices
Log management
Backups and data restore
Patch and vulnerability management
Identity management
Access management
Worker continual training for cyber awareness

For example, asset management and device restoration as well as backup and data restore are likely operational group responsibilities, but they become significant security problems when ransomware sweeps the enterprise, bricking all devices (not just the typical endpoints, but any network connected devices such as printers, badge readers, security electronic cameras, network routers, medical imaging devices, commercial control systems, etc.). Exactly what would your business response time be to reflash and refresh all device images from scratch and restore their data? Or is your contingency strategy to immediately stuff the opponents’ Bitcoin wallets and hope they have not exfiltrated your data for more extortion and monetization. And why would you unload your data restoration duty to a criminal group, blindly trusting in their perfect data restoration stability – makes definitely zero sense. Operational control duty rests with the enterprise, not with the opponents, and should not be shirked – shoulder your duty!

For another example, standard image construction using best practices configuration hardening is plainly a joint duty of operations and security staff. In contrast to inefficient signature based endpoint protection platforms (EPP), which all big enterprise breach victims have actually long had in place, setup hardening works, so bake it in and constantly refresh it. Also consider the requirements of enterprise staff whose job function needs opening of unsolicited email attachments, such as resumes, billings, legal notifications, or other needed files. This should be carried out in a cloistered virtual sandbox environment, not on your production endpoints. Security personnel will make these decisions, but operations staff will be imaging the endpoints and supporting the employees. These are shared responsibilities.

Overlap Example:

Detonate in a safe environment. Don’t utilize production endpoints for opening unsolicited but essential e-mail files, like resumes, invoices, legal notices, etc

Concentrate Limited Security Resources on the Tasks Only They Can Perform

Most big enterprises are challenged to effectively staff all their security roles. Left unaddressed, shortages in operational effectiveness will stress out security personnel so quickly that security functions will constantly be understaffed. There won’t sufficient fingers on your security team to jam in the increasing holes in the security dike that lax or neglectful endpoint or network or database management produces. And it will be less challenging to staff operational roles than to staff security roles with talented experts.

Offload routine formulaic activities to operations personnel. Concentrate minimal security resources on the jobs just they can carry out:

Security Operations Center (SOC) staffing
Preventative penetration testing and red teaming
Reactive incident response and forensics
Proactive attack searching (both external and insider).
Security oversight of overlapping operational functions (guarantees current security state of mind).
Security policy development and stake holder buy-in.
Security architecture/tools/methodology design, selection, and advancement.

Implement disciplined operations management and focus restricted security resources on crucial security functions. Then your enterprise might prevent letting operations problems fester into security issues.