Enterprise Security: Over Budget, Over Extended, Under Prepared

Friday, November 11, 2011

Rafal Los


At the Cleveland, Ohio Information Security Summit my friend and colleague David Kennedy (the CSO for Diebold Corp) presented on a topic that seemed to validate many of the things I've been saying lately... quite frankly that was a bit of a relief. 

You see, David's a bit of a superstar in the Information Security world ...one of the youngest executives I know, and razor sharp wit.  You see, David's presentation today was on how the majority of enterprises are simply not built to thwart targeted attacks.

While the average Enterprise Information Security organization keeps increasing capital and operational spending for security... all those blinking lights in the closets and vast trove of tools all generate lots of interesting data, but what gets done with that data? 

Furthermore, the more agents we drop onto desktops, laptops and mobile devices the slower they get and the louder the user backlash.  In reality - how much additional benefit does an enterprise get with each added new installable agent deployment?  It's tough to tell... but the value doesn't increase like we'd like.

So now we're faced with a precarious situation.  The technology spend security organizations making isn't returning the kind of benefit they expect, and the user backlash is growing all while it's getting harder and harder to manage all these consoles, dashboards, boxes and tools... what to do?!

I think we can all agree the answer isn't more randomly placed technology, for sure.  So what then?

I've been talking and starting conversations about Enterprise Security and exactly what it means to organizations in this position, and concepts like ESI (Enterprise Security Intelligence)... all of which contribute to what I think is a higher state of security awareness, and responsiveness. 

It's not how well you fortify the (virtual) castle walls anymore, since those walls have all but disappeared... but rather how prepared you are for when the enemy shows up inside your keep, and starts pilfering your precious assets.

David and I diverse slightly though, I think that post-breach is one of the worst times to think about how you're going to build up a security program for your enterprise... as the decisions that are made at that time tend to be hasty, poor, and often forced. 

When your organization's house is on fire, the pressure's on to put out the fire immediately, rather than to worry about long-term sustainability and strategic thinking.  I think the best time to formulate a strategy is pre-breach when you've got a rational, clear-thinking head on your shoulders.  Unfortunately, this is often the time when you probably won't have the funds... details, details.

So let's get back to your enterprise, and what you can actually do to protect the company valuables from the invading hordes...

  • As with any battle plan, segment your defensive strategy into risk categories.  General attacks (some of us call this background noise) should get one type of defensive strategy, while focused, targeted attacks need to have their own.  If you don't have both you're only defending against someone running a scanner... or that "cloud based compliance scanning service" which runs Nessus against your IP space during a regularly scheduled maintenance window.  These aren't serious threats, much like the 'viruses' you're stopping with that ancient-old piece of antivirus software.
  • Treat your strategic, focused attacker differently by focusing more of your attention there.  The mitigation strategy for the focused attacker (or determined hacker) is quite different than against nominal threats, and involves first off knowing your assets, then being able to clearly understand data movements, users and business processes.  This is often quite difficult - but necessary.
  • Prepare for failure against your targeted attacker.  Once you've made your peace with the fact that the determined attacker will eventually breach your critical assets you actually feel better and can think clearly about what happens next.  How does your security incident response organization mobilize, what resources and data do you have available to you on a moments' notice, and how prepared are you to disrupt critical business services to stop the bleeding?  These are all things that you not only must plan out, but try at regular intervals like disaster recovery drills.  Anyone who's been through this will agree that planning for incident response, and actually surviving through a critical situation are completely different animals.
  • Collaborate your security technologies, as much as possible, as often as possible.  Taking information from your application logs, server diagnostics, network monitoring, anti-malware, and other systems and plugging them into a central system to perform advanced analytics - I'm talking way, way beyond traditional SIEM here - is what will save you.  Think outside the security bubble and incorporate things like access control, application logging and behavioral analysis, system and network logging to track how users and systems interact with each other, and when deviations occur which warrant your immediate mobilization.

Remember, bad things will happen.  You will experience a breach, catastrophic security incident, or failure of some type... unless you're simply too ignorant to know the difference, in which case I can't help you. 

The incident is important, but more important than anything that the attacker does is how you, your organization, and your business respond.  Be prepared for the attack, test your response plan, and get real with your Enterprise Security.

Best of luck.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Budgets Security Strategies Data Loss Prevention ROI SIEM Information Security Enterprise Security Intelligence
Post Rating I Like this!
K0nsp1racy Very well written article, Raf. I tend to agree with the theory supporting your statements, but question the pragmatism involved with it. With a typical lifespan of a CISO being cited at about 18 months and a depreciation schedule being 3 years or greater, we often have to cobble together solutions based on what someone else did.

I believe the key to forcing the holistic type of security approach like you propose with ESI, is to demand more from our vendors by way of interoperability. It is no longer a matter of trying to wire endpoint devices to talk with a SIEM. It is about bubbling up the flashing light solutions into a centralized, consumable, and most importantly, open format that can be displayed according to business logic.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.