As a hopeless techie, I was anxious to see the new cyber drama Mr. Robot. In one of the early scenes, a room full of young, energetic and capable information security analysts were busy working to keep their customers safe from hackers, and not without some challenges.
The reality in the business world today is somewhat different. While a number of enterprises do in fact have security analysts on the team, or use a provider as in the program, most businesses do not even have a dedicated staff member focused on information security. Some of those simply throw money at the problem with appliances and software, hoping that will solve the problem. Others assign an existing team member with the additional responsibility of handling security, but this person often already has a full-time job. For the smaller businesses, this may fall on the office manager/marketing coordinator/IT manager.
Obviously, beyond the enterprises that are able to focus resources on the problem, none of the above scenarios is ideal. As I said in my recent article titled "What defines a mature IT security operation," success in this area requires focus, and is usually not a function of the amount of money spent. The problem gets even worse, however. Even those who are willing to commit funds to dedicated security personnel may not be able to find the people they need. In an article last year on the Security Magazine web site, author Diane Ritchey said of this issue, "The next national security crisis, instead, may be a lack of ability to mitigate or respond to such an attack because frankly, there’s no one available to mitigate the attack or respond to it."
The requirement that some existing IT team take on information security as a dual role will likely be a reality to many for some time. So, if you are in this group, can you make the best of a less-than-ideal situation? I would suggest that it is possible.
If you are such an individual, or manage one, I recommend some version of the following routine daily checklist as a way to stay on top of security threats in a limited amount of time. Again, this approach is not the ideal, and the "one-minute" title is a bit of an exaggeration, but we must continue to function with what we have.
Any success using a limited approach presumes you have implemented basic information security measures. If you are in doubt, I would suggest my 30 Steps to a Secure Organization as a road map. Once you have the basics down, try to include the following items on your daily routine:
Check for today's threats
It is rare for anyone to face a threat that nobody else is aware of. As such, it is important to use one or more of the many resources available, such as IBM's X-Force Exchange, to find out about trending threats. Other examples of such systems include the SANS Institute's Internet Storm Center and US-CERT's National Cyber Awareness System. Make visiting one or more of these the first part of your daily routine, and note any of significance, along with any available information about how to detect them. If they involve vulnerabilities with a patch or work-around, apply those as quickly as practical.
Check your logs
Your next stop should be a walk through your system logs, looking for anything out of the ordinary. As I have said before, this is an almost impossible task without some sort of log consolidation and analysis system. Fortunately, these are readily available, and not extremely expensive. They collect all of your various system and server logs in one place, and provide some analysis about their contents, highlighting areas of particular concern. Examples of such systems include Loggly, a cloud-based subscription service; Splunk, an installed or cloud-based product; and greylog, an open-source installed system.
As you get in the habit of looking at your logs on a daily basis, it will become easier to spot anomalies quickly.
Choose something to audit
Given that many of our threats come from within, auditing system privileges, firewall rules, router settings, etc. is critical to maintaining tight security. Rather than spending a week periodically auditing every system in sight, I would suggest picking a system or part of a system a day, and performing a quick check on that system. For example, take a look at any of your users with elevated privileges, and make sure they are they have a need for such access. This does require some upfront work to establish norms and procedures, but once this is done, you can quickly work through some part of an audit task every day. As an added benefit, a random audit plan can help to thwart those trying to evade the process.
Resolve and investigate
If you find something amiss in any of your daily checks, it should go without saying that you should fix it. If it cannot be fixed immediately, some means of tracking the issue to resolution is necessary. This is an excellent use for a incident management system. This can be as simple as an ordinary help desk ticket system. There are some specialized systems designed for this purpose, however, such as Incident Tracker. Your job does not stop there, however. Like a roof, although you may have plugged the leak, you need to look for resulting damage. If the issue led to infected systems, stolen data, or unauthorized server modifications, you need to find them and fix them. This is the hardest part, and requires good detective skills.
In summary, you would certainly be better served by a full-time information security analyst, or a service provider under contract. Many organizations simply don't think they can afford it however. While not ideal, the above road map will give you a fighting chance to stave off the bad actors.
This article is published as part of the IDG Contributor Network. Want to Join?