The Situational Room by eIQnetworks » security automation

The Best Security Reacts Quickly to Change

John Linkous — Thu, 22 Oct 2009 00:00:19 +0000

I’m certainly not above lifting verbatim research that I believe is helpful to security and compliance practitioners. And the title of this post was lifted from Gartner’s John Pescatore’s post entitled “Who Moved My Soap – The Best Security Reacts Quickly to Change.” Now I could go forth with all sorts of don’t drop the soap in DisneyWorld jokes, but that would obscure the real point, which is not about Pescatore’s hygienic preferences.

Security professionals are not driving the ship. The business folks are. So security folks that are resistant to the ebbs and flows of business will not be successful. We have to face the reality that we (as security professionals) need to adapt our defenses both to the actions of our adversaries, as well as the reality of our businesses. Budgets come and go, projects are re-scoped, and priorities change. That’s business. That’s life. Deal with it.

But you cannot adapt in a vacuum. In order to react quickly (which sounds very similar to my personal REACT FASTER mantra), an organization needs to understand what they are looking for. That means they need to be monitoring as much as they can, establishing what is “normal” in their environment and then watching for what is NOT normal. Things change all the time, but if you don’t know HOW they are changing, there is no way you’ll be able to understand WHY things have changed, and therefore you’ve got no shot to address the issue…before it’s too late.

Oh yeah, did I mention I’m a big fan of security monitoring?

Security Best Practices, Linkous-Style

John Linkous — Fri, 25 Sep 2009 00:00:26 +0000

eIQ’s own security and compliance evangelist John Linkous took some time to step away from his bully pulpit to contribute a list of practices for Linda Musthaler’s Network World column. Although he’s no Jim Bakker, John can sling security fire and brimstone with the best of them. He provides some good food for thought for any security professional. Check it out and be converted.

Management: The Enemy of the State

John Linkous — Tue, 11 Aug 2009 00:00:52 +0000

In digging through my stored bookmarks, I came back across this article in May’s Information Security Magazine where Richard Mackey tackles the idea of automating compliance and how to do it. Gosh, that requires a treatise, but he does a good job summarizing a few key aspects of the process in the article.

First is the concept of knowing what you don’t know, and that’s pretty much about finding the data that is protected and/or private and then tracking access and authorizations for that information. Don’t minimize the amount of work involved in this step. Whether you want to call it “data governance” or anything else, this step has killed many a compliance effort, as well as most of the stand-alone DLP market. But that’s another story for another day.

Second he dives into identity management, since that both enables the tracking of who does what, and also provides the ability to turn up or shut down access quickly and in an automated fashion. Since most organizations are pretty dynamic by nature (meaning people come and go, and customers come and go, and pretty much everything else comes and goes at different times), it’s hard to see how any organization can really substantiate compliance if they don’t have some level of automation underlying their identity infrastructure. This is another good topic, but not what caught my eye about this article.

What I want to focus on is his discussion of “state management,” which is basically configuration and vulnerability management. Though I buy into his idea of this being the third aspect of compliance automation, I think from a security operations standpoint – it’s as important (if not more important) to get this nailed PRIOR to large scale identity projects. Yes, this is part religion and part philosophy, but I still get back to the issue that anecdotally a lot more data is lost because of less than secure configurations and the inability to patch against known exploit code, than provisioning or deprovisioning issues.

I know, I know, compliance REQUIRES that you know who is accessing what and when. And that gets back to one of Richard’s points relative to doing what’s right for security vs. being forced to do what will get the auditor off your back.

Requirements like PCI pretty much require both state and identity management, but there is a lot of variability in what that really means. So, again it gets back to doing what’s right for your business, documenting the policies and being prepared and able to defend them when the auditor challenges you.

And they will. So be ready.

eIQcast, Episode 16 – “The Need for Automation”

John Linkous — Thu, 11 Jun 2009 00:00:00 +0000

As noted in the previous post, the results of spring surveys show that security spending is trending down. While that’s not exactly a surprise, it puts security managers in a pickle. Given the economic situation, how are they to keep their systems secure and compliant, especially since the regulations haven’t changed and the hackers don’t take time off during a recession? That question is the subject of the latest episode of eIQcast, where Ross Levanto interviews eIQnetworks senior vice president of strategy Mike Rothman.

Running time: 10:46

Direct Link: http://eiqcast.podomatic.com/entry/2009-06-11T14_33_26-07_00

eIQcast, Episode 2 – “Security Automation”

John Linkous — Wed, 10 Dec 2008 00:00:35 +0000

In the second eIQcast, John and Mike discuss the need to automate security operations and some of the issues therein. The reality is that attacks have not stopped, but in this kind of macro-economic environment the opportunity to add resources to defend against attacks is limited. Thus we all need to work more effectively and more efficiently, which is what security automation is all about.

Running time: 13:01

Direct Link: http://eiqcast.podOmatic.com/entry/2008-12-10T07_52_11-08_00