By Al Hartmann

Don’t Let Operational Issues Fester Into Security Problems

Basic Hygiene Avoids Serious Maladies

We’ve all been taught since childhood that we can brush and floss or we can endure root canals and pay for expensive crowns.  Basic hygiene is way easier and far cheaper than neglect and disease.  This same lesson applies in the realm of enterprise IT—we can run a sound operation with proper endpoint and network hygiene, or we can face mounting security problems and disastrous data breaches as lax hygiene extracts its onerous toll.

Operational and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we develop here at Ziften provide analytic insight into system operation across the enterprise endpoint population.  They also provide endpoint-derived network operation insights that significantly expand on wire visibility alone and extend into virtual and cloud environments.  These insights benefit both operations and security teams in substantial ways, given the significant overlap between operational and security concerns:
 

 

On the security side, EDR tools provide critical situational awareness for incident response.  On the operational side, EDR tools provide essential endpoint visibility for operational control.  Critical situational awareness demands a baseline understanding of endpoint population operating norms, which understanding facilitates proper operational control. 

Another way to express these interdependencies is:

You can’t secure what you don’t manage.

You can’t manage what you don’t measure.

You can’t measure what you don’t track.

Managing, measuring, and tracking has as much to do with the security role as with the operational role, don’t try to split the baby.  Management means adherence to policy, that adherence must be measured, and operational measurements constitute a time series that must be tracked.  A few sparse measurements of critical dynamic time series lacks interpretive context.

Tight security does not compensate for lax management, nor does tight management compensate for lax security. [Read that again for emphasis.]  Mission execution imbalances here result in unsustainable inefficiencies and scale challenges that inevitably lead to major security breaches and operational deficiencies.

 

Overlap Areas

Significant overlaps between operational and security issues include:

  • Configuration hardening and standard images
  • Group policy
  • Application control and cloud management
  • Network segmentation and management
  • Data security and encryption
  • Asset management and device restore
  • Mobile device management
  • Log management
  • Backup and data restore
  • Patch and vulnerability management
  • Identity management
  • Access management
  • Employee continual cyber awareness training

For example, asset management and device restore as well as backup and data restore are likely operational team responsibilities, but they become major security headaches when ransomware sweeps the enterprise, bricking all devices (not just the usual endpoints, but any network attached devices such as printers, badge readers, security cameras, network routers, medical imaging devices, industrial control systems, etc.).  What would your enterprise response time be to reflash and refresh all device images from scratch and restore their data?  Or is your contingency plan to promptly stuff the attackers’ Bitcoin wallets and hope they haven’t exfiltrated your data for further extortion and monetization.  And why would you offload your data restore responsibility to a criminal syndicate, blindly trusting in their perfect data restoration integrity—makes absolutely zero sense.   Operational control responsibility rests with the enterprise, not with the attackers, and may not be shirked—shoulder your duty!

For another example, standard image construction using best practices configuration hardening is clearly a joint responsibility of operations and security staff.  In contrast to ineffective signature-based endpoint protection platforms (EPP),  which all large enterprise breach victims have long had in place, configuration hardening works, so bake it in and continually refresh it.  Also consider the needs of enterprise staff whose job function demands opening of unsolicited email attachments, such as resumes, invoices, legal notices, or other required documents.  This must be done in a cloistered virtual sandbox environment, not on your production endpoints.  Security staff will make these determinations, but operations staff will be imaging the endpoints and supporting the employees.  These are shared responsibilities.
 

Overlap Example:

Detonate in a safe environment. Don’t use production endpoints for opening unsolicited but necessary email documents, like resumes, invoices, legal notices, etc.

 

Focus Limited Security Resources on the Jobs Only They Can Perform

Most large enterprises are challenged to effectively staff all their security roles.  Left unaddressed, deficiencies in operational effectiveness will burn out security staff so rapidly that security roles will always be understaffed.  There won’t be enough fingers on your security team to jam in the multiplying holes in the security dike that lax or inattentive endpoint or network or database management creates.  And it will be less difficult to staff operational roles than to staff security roles with talented analysts.

Offload routine formulaic activities to operations staff.  Focus limited security resources on the jobs only they can perform:

  • Security Operations Center (SOC) staffing
  • Preventative penetration testing and red teaming
  • Reactive incident response and forensics
  • Proactive attack hunting (both external and insider)
  • Security oversight of overlapping operational roles (ensure current security mindset)
  • Security policy development and stake holder buy-in
  • Security architecture/tools/methodology design, selection, and evolution

Enforce disciplined operations management and focus limited security resources on critical security roles.  Then your enterprise may avoid letting operations issues fester into security problems.

 

Get the General Here