You Must Prevent Operational Issues Turning Into Security Nightmares – Chuck Leaver

Written By Dr Al Hartmann And Presented By Ziften CEO Chuck Leaver


Return to Essentials With Health And Avoid Serious Problems

When you were a kid you will have been taught that brushing your teeth effectively and flossing will prevent the requirement for costly crowns and root canal treatments. Fundamental health is way simpler and far cheaper than disregard and illness. This very same lesson applies in the realm of enterprise IT – we can run a sound operation with proper endpoint and network hygiene, or we can deal with increasing security issues and dreadful data breaches as lax health extracts its burdensome toll.

Operational and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we have created here at Ziften provide analytic insight into system operation throughout the business endpoint population. They also provide endpoint-derived network operation insights that substantially broaden on wire visibility alone and extend into cloud and virtual environments. These insights benefit both operations and security teams in substantial ways, provided the considerable overlap between operational and security issues:

On the security side, EDR tools supply crucial situational awareness for event response. On the operational side, EDR tools offer essential endpoint visibility for operational control. Important situational awareness requires a baseline understanding of endpoint population running standards, which comprehending facilitates proper operational control.

Another method to express these interdependencies is:

You can’t secure what you do not manage.
You cannot control what you don’t measure.
You can’t measure what you don’t track.

Managing, measuring, and monitoring has as much to do with the security role as with the functional role, don’t aim to divide the infant. Management suggests adherence to policy, that adherence needs to be determined, and operational measurements constitute a time series that need to be monitored. A few sporadic measurements of crucial dynamic time series lacks interpretive context.

Tight security does not make up for ineffective management, nor does tight management compensate for lax security. [Read that again for focus.] Objective execution imbalances here lead to unsustainable inadequacies and scale challenges that inevitably cause significant security breaches and operational deficiencies.

Where The Areas Overlap

Considerable overlaps between functional and security issues include:

Setup hardening and basic images
Group policy
Cloud management and application control
Network division and management
Data security and encryption
Management of assets and device restore
Mobile device management
Management of logs
Backup and data restore
Vulnerability and patch management
Identity management
Management of access
Employee continuous cyber awareness training

For instance, asset management and device restoration in addition to backup and data restoration are likely operational team responsibilities, but they end up being major security problems when ransomware sweeps the network, bricking all devices (not just the usual endpoints, however any network attached devices such as printers, badge readers, security video cameras, network routers, medical imaging devices, commercial control systems, etc.). What would your enterprise response time be to reflash and revitalize all device images from scratch and restore their data? Or is your contingency strategy to without delay stuff the hackers’ Bitcoin wallets and hope they haven’t exfiltrated your data for further extortion and money making. And why would you unload your data restoration obligation to a criminal syndicate, blindly relying on their best data restoration integrity – makes definitely no sense. Functional control obligation rests with the enterprise, not with the hackers, and may not be shirked – shoulder your responsibility!

For another example, basic image construction using finest practices setup hardening is clearly a joint responsibility of operations and security staff. In contrast to ineffective signature based endpoint protection platforms (EPP), which all large business breach victims have long had in place, setup hardening works, so bake it in and constantly revitalize it. Also consider the needs of business personnel whose job function needs opening of unsolicited email attachments, such as resumes, billings, legal notifications, or other required files. This must be done in a cloistered virtual sandbox environment, not on your production endpoints. Security personnel will make these decisions, but operations staff will be imaging the endpoints and supporting the employees. These are shared duties.

Overlap Example:

Detonate in a safe environment. Do not utilize production endpoints for opening unsolicited but essential email files, like resumes, invoices, legal notifications, etc

Focus Limited Security Resources on the Tasks Just They Can Perform

The majority of large enterprises are challenged to effectively staff all their security functions. Left unaddressed, shortages in operational effectiveness will stress out security staff so rapidly that security functions will constantly be understaffed. There will not sufficient fingers on your security team to jam in the increasing holes in the security dike that lax or inattentive endpoint or network or database management produces. And it will be less challenging to staff operational roles than to staff security roles with skilled analysts.

Transfer regular formulaic activities to operations staff. Concentrate restricted security resources on the jobs just they can carry out:

Staffing of the Security Operations Center (SOC)
Preventative penetration testing and red teaming
Reactive occurrence response and forensics
Proactive attack hunting (both insider and external).
Security oversight of overlapping operational functions (making sure existing security mindset).
Security policy advancement and stake holder buy-in.
Security architecture/tools/methodology design, selection, and advancement.

Enforce disciplined operations management and focus restricted security resources on vital security roles. Then your business might prevent letting operations issues fester into security problems.