April EventSource Newsletter
By Mike Rothman
The Quick Win: Showing immediate value from Security Management
Last month we spoke about the 5 W’s of security management, delving into the true nature you are trying to accomplish through a security management project. Far too many initiatives fail because there isn’t adequate focus on why, who, what, where, and when. Now that you’ve (presumably) gotten funding and are in the initial stages of implementation, we are going to focus on getting a quick win.
Why is a quick win important? For the simple reason that security management is hardly tangible, especially to those that write the checks. You (as the administrator) can certainly speak of how the new platform makes you more efficient and effective until you are blue in the face. Since the security management platform is unlikely to directly result in your organization selling more product, or even spending less money – the executives just don’t want to hear about it.
Thus we need to provide substantial evidence – proof of an emerging attack that you headed off at the pass, or an investigation that was greatly accelerated with more comprehensive data – that the implementation helped you do something that wouldn’t have been possible without the security management platform.
The first step is to install the product and let it run. Yes, just let it run for a while to gather data, which will provide a baseline for all the analysis to come. This can be hard because most folks want to instantly start doing, but without a firm idea of what’s going on, it’s hard to make sure you are focusing on the right stuff.
To determine the “right stuff,” look at the data with a critical eye. A bunch of things will become apparent during the first few days or weeks of monitoring the logs and other security information. Make sure to ask a bunch of questions of the data. Has there been a breach? Are traffic flows and inbound attacks as you expected? We are looking for the surprises coming out of the data, which will then give us an idea of what could be a quick win.
I know that isn’t a lot of direction, but you’ll know an issue when you see it. Basically, you’ll be scratching your head and wondering how that could be happening. You’ll figure the data is just wrong. Maybe an employee is running an externally accessible web server on his/her desk. Or perhaps some of your employees are sending email directly from their devices (as opposed to your email sever). Or maybe you have 50 wireless access points you had no idea about.
It could be anything, and it will be surprising.
If some of the things you have been watching just seem too hard to believe, then you should investigate immediately. One of the quickest wins you can get is to identify compromised machines (that your AV product somehow missed) or rouge devices on the network. These can be the most dangerous of issues, so being able to detect and remove these unauthorized devices can provide a huge, tangible value almost immediately. This is the stuff I’ll call low hanging fruit. You’ll pick it and you’ll eat well for a little while.
Keep in mind what’s important
Every security professional should have a good idea of what is most important in their environment. You know, the systems that are most critical – where downtime results in someone being fired. This will allow you to prioritize the issues you find from your initial analysis of the data. Sadly enough, you will probably find more stuff wrong than you can fix immediately. Thus you need to use this filter of “what’s important” to guide your first set of actions.
Remember fixing a low profile system will not provide sufficient value to provide a quick win. This is where some tough decisions need to be made. What is the single most important issue to address based on the data generated by the security management platform?
Fix it (and then claim victory)
Once you determine which issue to focus on, now jump into action. Maybe it’s taking those rogue devices off the network. It could be re-imaging a device that’s been turned into a bot. Maybe it’s working with HR and the General Counsel to begin investigating a case of corporate espionage. It doesn’t really matter what it is, as long as it is sufficiently high profile to get the attention of the folks that pay the bills.
Once the issue has been remediated, don’t forget to thump your chest a bit. No one is going to do it for you, so make it very clear how the issue was found, isolated, and fixed. Also be sure to highlight the new security management platform’s critical role in the successful resolution of the issue.
I know a lot of security professionals are not comfortable banging the drum and highlighting their victories. If you liked to do that you would have gone into sales, right? The fact is the role of a security professional moving forward is to influence, not necessarily to do everything themselves.
Increasingly our resources will be within the technology operational groups (networks, data center, applications), so we all need to become more adept at “marketing.” You may not like this aspect of the job, but you don’t have a choice.
Success is a journey, not a destination
As much as we’d like to think there is light at the end of the tunnel, the bad guys are always coming up with new ways to shred our defenses. We live in a dynamic and complicated world. Thus, we must always keep our guard up and we have to be paying attention and looking for the imminent threats.
The quick win helps us continue the battle and get more funding for the critical projects we need to improve our defenses. Our long-term success hinges on remembering to focus on the most important systems and making sure they are protected.
Our job is never done, but by leveraging the data gathered by our security management platform, always focusing on trying to REACT FASTER to potential issues, and communicating our victories – you can not only be an effective security professional, you can be perceived as an effective security professional.
For Robert Sheridan K. Smith, the key to achieving and sustaining Sarbanes-Oxley (SOX) compliance is automation. As an IT manager for Arch Reinsurance Ltd., in Bermuda, a publicly held company that provides specialty property and casualty reinsurance, Smith has deployed data center automation tools wherever possible to help his company meet SOX requirements. “Given our limited staff and resources,” Smith said, “it would be very difficult to sustain SOX compliance if we didn’t use automation in our data centers.”
Autoscribe selects EventTracker for meeting PCI Compliance
“Selecting EventTracker was an obvious choice. It came with a number of pre-built reports specifically mapped to PCI requirements and as an added bonus, provided us with both Event Management and Change Management capabilities. This allowed us to not only comply with section 10, which describes log data monitoring and reporting requirements, but also section 11, which details requirements relating to monitoring changes on critical systems.”