By Roark Pollock

Managing Risk and Security – Or How to Play Offense AND Defense

“It is clear that organizations are moving toward an “all the time” visibility and control model that allows continuous risk assessments and threat monitoring.” Risk management and security management have long been dealt with as separate functions often performed by separate functional teams within an organization. The recognition of the need for continuous visibility and control across all assets has increased interest in looking for common ground between these disciplines and the availability of a new generation of tools is enabling this effort. This conversation is very timely given the continued difficulty most enterprise organizations experience in attracting and retaining qualified security personnel, or personnel to manage and protect IT infrastructure. A unification of activity can help to better leverage these critical personnel, reduce costs, and help automate response.

Historically, risk management has been viewed as an offensive mandate, and is typically the field of play for IT operations teams. Sometimes referred to as “systems management”, IT operations teams actively perform device state posture monitoring and policy enforcement, and vulnerability management. The goal is to proactively mitigate potential risks. Activities that further risk reduction and that are performed by IT operations include:

Offensive Risk Mitigation – Systems Management

  • Asset discovery, inventory, and refresh
  • Software discovery, usage tracking, and license rationalization
  • Mergers and acquisition (M&A) risk assessments
  • Cloud workload migration, monitoring, and enforcement
  • Vulnerability assessments and patch installs
  • Proactive helpdesk or systems analysis and issue response / repair

On the other side of the field, security management is viewed as a defensive game, and is typically the field of play for security operations teams. These security operations teams are typically responsible for threat detection, incident response, and remediation. The goal is to react to a threat or a breach as quickly as possible in order to minimize impacts to the organization. Activities that fall squarely under security management and that are performed by security operations include:

Defensive Security Management – Detection and Response

  • Threat detection and/or threat hunting
  • User behavior monitoring / insider threat detection and/or hunting
  • Malware analysis and sandboxing
  • Incident response and threat containment / elimination
  • Lookback forensic investigations and root cause determination
  • Tracing lateral threat movements, and further threat elimination
  • Data exfiltration determination

Successful companies, of course, need to play both offense AND defense equally well. This need is driving organizations to recognize that IT operations and security operations need to be as aligned as possible. Thus, as much as possible, it helps if these two teams are playing using the same playbook, or at least working with the same data or single source of truth. This means both teams should strive to use some of the same analytic and data collection tools and methodologies when it comes to managing and securing their endpoint systems. And if organizations rely on the same personnel for both tasks, it certainly helps if those people can pivot between both tasks within the same tools, leveraging a single data set.

Each of these offensive and defensive tasks is critical to protecting an organization’s intellectual property, reputation, and brand. In fact, managing and prioritizing these tasks is what often keeps CIOs and CISOs up at night. Organizations must recognize opportunities to align and consolidate teams, technologies, and policies as much as possible to ensure they are focused on the most urgent need along the current risk and security management spectrum.

When it comes to managing endpoint systems, it is clear that organizations are moving toward an “all the time” visibility and control model that allows continuous risk assessments, continuous threat monitoring, and even continuous performance management.

Thus, organizations need to look for these 3 key capabilities when evaluating new endpoint security investments:

  • Solutions that provide “all the time” visibility and control for both IT operations teams and security operations teams.
  • Solutions that provide a single source of truth that can be used both offensively for risk management, and defensively for security detection and response.
  • Architectures that easily integrate into existing systems management and security tool ecosystems to deliver even greater value for both IT and security teams.

Click here to learn more about how Ziften Zenith can help support both an offensive and defensive security model.

Get the General Here