Bridging the gap between IT Security & Operations
The divide between the security department and IT operations is hampering efforts that organisations make to protect themselves. Looking back, the IT department existed way before there was a real understanding (or, arguably, a real need) for the level of information security we have today. IT’s mission was to provide the technology tools to make businesses run more efficiently and compete better. That hasn’t changed – if anything, there is more focus than ever on how IT supports the business as a whole – but information security remains a problem.
The problem is that attackers can cross all the boundaries of IT security and operations. Since most companies only worry about the end aspect of the attack lifecycle – malware – by the time attackers start going after servers and data, they’re not hacking anymore: they are leveraging legitimate and often over-privileged accounts that they’ve uncovered to move through the environment in the same way a user would.
The disconnect between security and IT operations means there is not enough visibility and – most importantly – not enough contextual information about what constitutes a real threat. While the security team can invest in all kinds of technology and create processes, the fact is that much of the day-to-day risk management is the responsibility of the IT department and users. If the former are overloaded with other tasks, then security is always in danger of taking a back seat and users often lack the understanding of how some very simple actions (or lack of) can be putting their organisations at risk. Once that foothold is gained, the attacker uses the victim’s access permissions to move laterally through the IT environment.
A vulnerability can result from something as simple as a user going to a website and if the basics around passwords and privilege management haven’t been carried out, the situation is made a lot easier for an attacker.
So what can be done? The good news is that there are some very clear and achievable steps that can be taken, both by the security team and the IT team (ideally working in a more collaborative way), while instigating some clear rules for users.
Limit the damage users can do
Let’s start with preventing intruders: while there is arguably an infinite amount of malware, the ways in which an attacker can get into an organisation are limited and identifiable. There is a whole raft of steps that companies can take to mitigate risk, for example shared accounts, super user accounts, monitoring and analysis of audit logs, controlled access on a need-to-know basis. Something as simple as stopping desktop administrator rights being the ‘norm’ will immediately close off a whole range of potential vulnerabilities.
Research underlines the need to deal with these basics: the 2013 Verizon Data Breach Investigations Report found that 78 per cent of initial intrusions were rated as low difficulty; while according to a recent Ponemon Institute study, 52 per cent of IT practitioners say that their organisations are still assigning privilege user rights beyond the individual’s role.
In my experience – both as a vendor and in-house – many organisations tend towards giving users unnecessary ‘privilege’, while in reality, most of them just don’t need this level of access. Of course, stopping users from being able to configure their own desktops or download apps may mean more calls to the IT helpdesk, but surely that is a better investment of time than dealing with a security attack that is spreading like wildfire not just within the organisation, but maybe to its customers and partners too?
Once users have less potential to cause security breaches, then the work of the IT security team – protecting apps and data, workstations and services, monitoring the network perimeter plus other environments include cloud and mobile – potentially becomes a great deal more effective.
IT operations and security teams also need to work together to analyse and assess what constitutes a real-world risk. Vulnerability management (VM) systems have a very important role, but their results need to be looked at through a lens that provides some context.
For example, let’s imagine a VM system finds 1000 vulnerabilities. In reality, only 200 of those are server-related, so as long as there is good practice around not browsing from servers, the actual threat level is reduced to 800. Then, if on further investigation, the majority of those are related to server-pack update issues, the real threats that need further investigation are only 50.
Suddenly, it is a lot easier to translate the alarming results from the vulnerability management system into something that is feasible to address by the IT operations and security team. And this is the bottom line: these two functions have to work together in order to achieve effective defensive strategies against attackers.
Of course, choosing tools that enable that – vulnerability management, privilege management and risk management software – but the return on these will only be achieved if the company culture and processes also change. While some security threats are over-hyped, others are very real, so organisations need better visibility of these, while at the same time, going back to basics and carrying out simple steps to prevent user-generated risk.
Director of Technical Services
BeyondTrust in EMEA and APAC