Joff Thyer //
One of my observations over time in the Information Security market is that the vendors seem to want to solve challenges with appliance point solutions. It is perfectly understandable that people want a piece of the fiscal pie and make a healthy living, but in today’s threat environment this approach is failing.
Mature organizations are naturally looking for solutions because they know from their metrics, and their security operations programs that things are not as healthy as they would like. They are tired of solutions that link their security operations people to a firehose of mostly irrelevant data. In a lot of cases, paying your most talented security analysts more money to keep their eyes glued and focused on log pattern analysis will yield better results than all of the flashy graphics of ten solutions combined.
In the industry it is beyond time for us to insist on security solutions that cross communicate and form a peer partnership / combined strategy. In addition, it is too easy to get carried away by the glowing silver bullet like solutions and forget our security 101’s. For example:
- Do you have an inventory of your hardware assets?
- Do you have an inventory of your software assets?
- Are you logging centrally?
- Do you have good change management control, and metrics?
More to the point, security threats are evolving quickly beyond the appliance solution space. There will not be a single solution that exclusively watches the endpoint and yields the result you are looking for. Solutions will have to adapt to a behavior based approach and be able to take in data from multiple perspectives in a computing environment, from the endpoint to the network and to the various perimeters.
It is high time that organizations start the process of micro-level communications segmentation driven by the rich software based directory structure most environments have and further enabled by interlocking endpoint firewall and network segmentation solutions. It is high time for all of our software in a sophisticated computing environment to cooperate closely, examine heuristics, behaviors, and enforce only legitimate communications.
A great one for XKCD
What do I mean? As an example, what if we have a finance department with Windows 10 deployed desktops. This department users office productivity applications, print and email. In the context of this example, security professional interests in properly architecting and designing for error detection and correction should be:
- Enforce communications from the finance systems to needed server resources, and print resources.
- Prevent direct peer communications between finance and engineering departments for example.
- Lock down the application runtime environment. It is predictable and controllable in the business context.
- Provide whitelisted Internet web resources that finance can connect to, or at minimum enforce categorization of resources through perimeter proxies.
- Upon network connection, use network access control software to properly enforce a “finance” communications profile.
- Employ a belt and suspenders approach by doubling down on the communications enforcement with Windows endpoint firewall configuration.
- Log all event information to a central log source
- Log any/all exceptions that deviate from the deployed communications profile and chase them down in an incident response process.
In short, we all must stop thinking in terms of organizational silos and start the process of architecting / designing for proper error detection, and error correction / response to outliers.
As a consequence, our software, and various human resources must work in a cooperative fashion. LDAP and/or Active Directory must be enabled to drive micro-level network enforcement decisions and link the entire communications profile together from the perspectives of internal network segment, to allowed/permitted Internet resources, and Internet perimeter communications profile.
Our very survival mandates that we move away from reactive solutions to a proactive design for success, and correct failure stance. Staying with an exclusive reactive point solution approach will no longer scale, and will ensure your personnel remain in a fire fighting mode, and will also prevent them from maturing as analysts to deal with the more sophisticated landscape we now face.