Which security functions outsource poorly and which outsource well

By A.N. Ananth

The IT security industry’s skill shortage is a well-worn topic. Survey after survey indicates that a lack of skilled personnel is a critical factor in weak security posture. If the skills are not available in your organization then you could: a) ignore the problem and hope for the best, or b) get help from the outside. Approach “a” is simply a dereliction of duty, and approach “b” has some negative connotations associated with the word “outsource”. It throws up images of loss of control and misaligned priorities.

As a service provider, we agree, and prefer to describe our SIEMphonic services as co-sourcing. Is it a panacea? Not really. Nothing is ever a silver bullet. There are security functions that do well when co-sourced, and then there are those that really must be performed internally. How do you know which is which?

This opinion from a Gartner Analyst breaks down defines defense as requiring deep knowledge of what to defend and how to defend. The former requires detailed knowledge of your IT environment, business processes, assets, systems, application, personnel, company culture, mission, and other knowledge of your IT, business and culture. The latter requires detailed understanding of threat actors, attacks methods, exploits, attacks, vulnerabilities, security architecture, and other security domain knowledge.

Using the above general guideline as a touchstone, here are two areas that can be done outside:

  • Network Monitoring: It’s a process that requires specific expertise, but is usually far away from the core processes of the company. Most businesses can’t afford to have eyes on the network 24/7. In legacy security environments, customers received a daily list of 12 to 15 events. Now businesses process millions of events, 10 of which will be worth investigating, and eight of which might be false positives. It’s a lot of tedious work to justify allocating to full-time employees.
  • Vulnerability Management: Vendors release updates constantly, and the consequence of not patching internal systems is now painfully clear to Equifax and the victims of WannaCry. Patching is like doing the dishes, a never-ending task, but one that lends itself well to co-sourcing.

Here are two tasks that should remain in-house:

  • Incident Response & Breach Remediation: When a security breach or virus outbreak hits, a third party can alert you to suspicious activity, but they can’t figure out the network design and jump-start remediation. That’s something only your internal engineers can do because they deeply know the network. Remediation is not so much about technical skills as it is about the knowledge of the environment.
  • Security Strategy, Policy, and Architecture: Anything that requires the business judgement of the risk you’re taking cannot be outsourced. Core functions like security strategy, architecture, and policy should be kept in-house, as should the responsibility of managing and executing programs through completion. These functions are all about business risk, and require a knowledge of risk appetite — things that cannot be done by an outside party.

If your organization is affected by skill shortage, then consider co-sourcing. Just be mindful of what does well vs. poorly with this model, and plan accordingly.

EventTracker’s co-sourced solutions can provide your organization with advanced tools, backed by world-class experts that monitor your network 24/7.

Avoid Three Common Active Directory Security Pitfalls

While the threats have changed over the past decade, the way systems and networks are managed have not. We continue with the same operations and support paradigm, despite the fact that internal systems are compromised regularly. As Sean Metcalf notes, while every environment is unique, they all too often have the same issues. These issues often boil down to legacy management of the enterprise Microsoft platform going back a decade or more.

There is also the reality of what we call the Assume Breach paradigm.  This means that during a breach incident, we must assume that an attacker a) has control of a computer on the internal network and b) can access the same resources of legitimate users through recent log on activity.

Active Directory (AD) is the most popular Lightweight Directory Access Protocol (LDAP) implementation and holds the keys to your kingdom. It attracts attackers, as honey attracts bees. There are many best practices to secure Active Directory, but to start, let’s ensure you stay away from common pitfalls. Below are three common mistakes to avoid:

  1. Too many Domain Admins: Active Directory administration is typically performed by a small number of people. Membership in Domain Admins is rarely a valid requirement.Those members have full administrative rights to all workstations, servers, Domain Controllers, Active Directory, Group Policy, etc., by default. This is too much power for any one account, especially in today’s modern enterprise. Unless you are actively managing Active Directory as a service, you should not be in Domain Admins.
  2. Over-permissioned Service Accounts: Vendors have historically required Domain Admin rights for Service Accounts even when the full suite of rights provided is not actually required, though it makes the product easier to test and deploy. The additional privileges provided to the Service Account can be used maliciously to escalate rights on a network. It is critical to ensure that every Service Account is delegated only the rights required, and nothing more. Keep in mind that a service running under the context of a Service Account has that credential in LSASS (protected memory), which can be extracted by an attacker. If the stolen credential has admin rights, the domain may be quickly compromised due to a single Service Account.
  3. Not monitoring admin group membership: Most organizations realize that the number of accounts with admin rights increases on a yearly, if not monthly basis, without ever going down. The admin groups in Active Directory need to be scrutinized, especially when new accounts are added. It’s even better to use a system that requires approval before a new account is added to the group. This system can also remove users from the group when their approved access expires.

By avoiding these pitfalls, and securing Active Directory properly, you are on your way to keeping your “kingdom” safe. But like Thomas Paine said, “Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it.” There are a number of ways to reap the benefits of a secure infrastructure, but there are many intracacies required to make this a reality. Solutions, like SIEMphonic Enterprise, takes on “fatigue” required to with a dedicated 24/7 SOC.

Click here for more details or sign up for a free demo today.

Three myths surrounding cybersecurity

A common dysfunction in many companies is the disconnect between the CISO, who views cybersecurity as an everyday priority, versus top management who may see it as a priority only when an intrusion is detected. The seesaw goes something like this: If breaches have been few and far between then leaders tighten the reins on the cybersecurity budget until the CISO proves the need for further investment in controls. On the other hand, if threats have been documented frequently, leaders may reflexively decide to overspend on new technologies without understanding that there are other, nontechnical remedies to keep data and other corporate assets safe.

Does your organization suffer from any of these?

Myth: More spending equals more security

McKinsey says, “There is no direct correlation between spending on cybersecurity (as a proportion of total IT spending) and success of a company’s cybersecurity program.” Companies that spend heavily but are still lagging behind their peers may be protecting the wrong assets. Ad hoc approaches to funding (goes up when an intrusion is reported, goes down when all is quiet on the western front) will be ineffective in the long term.

Myth: All threats are external

Too often, the very people who are closest to the data or other corporate assets are the weak link in a company’s cybersecurity program. Bad habits — like sharing passwords or files over unprotected networks, clicking on malicious hyperlinks sent from unknown email addresses, etc. — open up corporate networks to attack. In this study by Intel Security, threats from inside the company account for about 43 percent of data breaches. Leaders must realize that they are actually the first line of defense against cyberthreats, which is never the sole responsibility of the IT department.

Myth: All assets are equally valuable

Are generic invoice numbers and policy documents that you generate in-house as valuable as balance sheets or budget projections? If not, then why deploy a one-size-fits-all cybersecurity strategy? Does leadership understand the return they are getting on their security investments and associated trade-offs? Leaders must inventory and prioritize assets and then determine the strength of cybersecurity protection required at each level. McKinsey cites the example of a global mining company that realized it was focusing a lot of resources on protecting production and exploration data, but had failed to separate proprietary information from that which could be reconstructed from public sources. After recognizing the flaw, the company reallocated its resources accordingly.

These three myths are common, but the list goes on…Now it’s time to decide what to do about it. Research is a great start, but time is of the essence. According to a 2017 Forbes survey, 69% of senior executives are already re-engineering their approach to cybersecurity. What’s your next step?

EventTracker reviews billions of logs daily to keep our customers safe. See what we caught recently and view our latest demo.