Having been at my new company for several months now, this week I was invited to inform executive management about the state of our security. I had half an hour to formally introduce myself and talk about my philosophy, my initial findings and the priorities I think we need to have.
Thirty minutes isn’t much time, of course, and I figured that I should be prepared to talk for just 15 minutes, so that I could give the team time to ask questions. I had to make that quarter of an hour really count.
Before me were the CEO, the CIO, the CFO, the CTO and the vice presidents of sales, marketing, support and operations. I told them that I had been working in security long enough to know what sorts of things work. There’s the rule of least privilege, which enforces access controls based on granting only those privileges that any individual needs. There’s security awareness and the idea that changing employees’ behavior is one of the most crucial ingredients of strong security. There’s the acknowledgment that we’re only as strong as our weakest link. There’s the all-important realization that security is a process, not a point solution.
Real-world examples helped get my points across. The weak link, for example: I noted that even a large company like Target, with a multimillion-dollar budget, huge security staff and PCI and other industry certifications, could still be breached because its HVAC vendor allowed a PC to be compromised. Employee behavior: I cited many recent breaches that had been caused by one person doing something he shouldn’t have done. Security as a process: I said that we needed technology to help secure the company, but no single device or piece of software can guarantee a secure infrastructure. Security is a product of people, policy, process and technology that, when combined, increase our security posture, and thus decrease risk.
I was only five minutes in and didn’t mind too much the two minutes I lost when the CEO told a war story.
Next, I needed to give the executives my assessment of our security stance. The assessment, I explained, was based on things like my observations during the new-hire process, a review of existing documentation, security assessments, interviews, business process reviews, and the monitoring of our network.
I spent some time focusing on what we can learn by monitoring the network. We recently conducted a proof of concept of a Palo Alto Networks firewall, which came with all of the cool bells and whistles that can make transparent how our network is being used from a security and risk perspective. I told the group some of what we’ve learned: We have traffic going to and coming from more than 60 different countries. We’re using more than 30 different cloud file storage solutions. Employees are using peer-to-peer software and remote-control software such as LogmeIn, both of which violate our corporate remote-access policy. They’re also using our network to access pornography sites, which is a legal, human resources and security risk. The firewall told us we’re under attack and pinpointed the type of attack being used. It singled out several internal resources that were potentially compromised and communicating with malicious Internet command-and-control sites.
Everyone was certainly paying attention. An awkward silence fell over them, followed by expressions of disbelief that our employees could be engaged in such risky behavior. But the data could not be ignored, and the value of the tool that had made the behavior visible for the first time was clear to all.
This was my chance to jump into my top findings and recommendations. I strongly advocated tightening up the corporate network by segmenting into security zones, restricting the use of and access to risky applications, and obtaining visibility into threats to our company. That last point was a thinly veiled plea for the funds to purchase a tool that would give us the kind of monitoring we had seen with our Palo Alto proof of concept.
I also recommended arming our PCs with a more advanced endpoint detection capability, tighter group policy and full disk encryption. Finally, I reinforced my belief that technology isn’t the whole story by arguing that changing behavior is essential if we are to avoid falling victim to the types of security breaches we have seen in the news within the past several years. In other words, we need to implement an enterprise-grade security awareness and training program.
So I have made my arguments and presented my concerns. I hope it gets us on the road to better security.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Click here for more security articles.