When it comes to getting things done we need fewer architects and more bricklayres.
Menu

Security in a BOX

Introduction

In today's technology driven world, there are a number of emerging trends that are re-defining the way organisations consume technology.

These macro trends include:

  • The adoption of digital services to improve customer engagement, service, experience and retention.
  • The execution of "cloud first" strategies to improve the total cost of ownership of Information Technology.
  • The promotion of a "sharing economy".

The solution is a set of scalabale, flexible, automated, cloud based integrated security utility services, which can easily be commissioned and decommissioned based on the specific needs of an organisation, creating a "box of security capabilities" that can be customised at will.

Common security challenges

Over the years, we have met many clients to discuss the problems they face as an organisation.

While the challenges they list include things like zero- day vulnerabilities, organisation culture and protection of distributed and mobile workforces, many historical challenges too.

  • Patch Management
  • Poor standardisation of security service
  • Overlapping compliance efforts
  • Measuring the wrong things
  • False sense of third/ fourth party security
  • Retaining control over data
  • Optimal Logging
  • Access recertification
  • Tooling- based security strategies

1. Patch Management

Patch management is a critical process in minimising the exposure of an enterprise to vulnerabilities in their information technology systems.

However, due to the volume of patches, multiple technologies, manual effort required to deploy certain patches, and rigorous operational testing requirements, it is easy for an organisation to become overwhelmed by the volume of patches to be applied.

Combined with the need for service downtime at a time convenient for the business, it is possible for organisations to quickly fall behind the curve.

The net result being organisation's systems becoming dangerously out of date with the latest security updates and thus exposed to vulnerabilities.

2. Poor standardisation of security services

The cyber security market, populated by a range of big brand names, is constantly evolving with the latest technologies and is in a perpetual state of change. As organisations begin to adopt various solutions, and have bespoke applications and tools developed independently by different vendors, security experts are quickly getting overloaded by the sheer number of products that don't integrate with each other and hence require armies of analysts to digest, mine and correlate the information from various sources.

Safeguarding organisational data in a fragmented environment can be a further challenge when the disparate systems do not integrate with security tooling, and multiple products are supported by an array of vendors, each interacting with differing levels of organisational data and with differing levels of system access. If organisations are unable to obtain meaningful data from the disparate systems, it stands to reason they are likely making decisions that do not derive optimal value for the business.

3. Overlapping compliance efforts

A typical medium size organisation has to go through 3-5 security audits a year. These could be part of financial integrity compliance, regulatory attestation or client's assurance request. Each audit requires the production of a set of evidence that must then be reviewed with an auditor to put into context.

Whilst heavily regulated industries like Financial Services suffer the most, a retail organisation could spend millions on PCI DSS and ISO27001 audits.

The problem lies in the fact that most of the questions in any security audit are the same. What might change slightly is the scope and the depth of the question. Due to different internal stakeholders that don't communicate between themselves, 1st line control operations people are asked to provide the same materials and describe the same documents over and over again which burns a lot of time and places a strain on people who are already busy with their day-to-day jobs.

4. Measuring the wrong things (misinterpretation)

With the multiple reports of corporate breaches in the media that were initiated with a phishing mail, and the constant phishing campaigns launched by a variety of threat actors; the threat of an employee being phished is at the top of nearly every CISO's mind. A result of this is the execution of continuous phishing tests that try to trick the user into clicking on a link. Broadly considering the human factor involved, to mitigate the risks of malware infection, the organisation need to ensure adequate detective controls and a rapid response capability in the Security Operations Centre.

5. False sense of third/fourth party security

Whilst the agreement on maintaining a minimum security baseline may exists between a service consumer (e.g. Bank) and a provider (e.g. Application Outsourcing organisation), the consumer may still be exposed to risks through vulnerabilities in provider's supply chain.

With the advance of FinTech, InsureTech and similar compartmentalisation trends outside of Financial Services, supply chains are getting more and more complicated. It is no longer enough to solely manage the risk of third party suppliers, rather, security experts have to look beyond and think about fourth and fifth parties.

Due to a lack of resource to perform the necessary regular due diligence, organisations have to rely on vaguely defined ISO27001 compliance certificates or worse self assessment questionnaires. As everyone who has ever been on the receiving end of those questionnaires can testify, a self assessment approach leaves too much room for interpretation which in turn means one thing for the requesting organisation a false sense of security.

For example, a common practice could be the outsourcing of certain IT elements to a third party whose sole business model is delivering IT (reduced cost) services to its clients. In order to further achieve this and provide a competitive rate, it too outsources certain elements to dedicated providers, who further may do the same.

6. Retaining control over data

The need to exchange information with other parties is a central requirement for every organisation's technology estate. Furthermore, information sharing is being encouraged under the latest regulations introduced in some countries. Organisations, however, must be confident that information disclosed has reached its intended destination, containing the same message originally constructed, and only in the hands of those the information was destined for. Whenever any information is disclosed there always exists a degree of risk as the information leaves the organisational boundaries and the controls put in place by the organisation to protect that information are lessened. For example, information may be sent in an encrypted manner, but it must be feasible to decrypt the information when it reaches the destination, so confidence must be in place that only those entitled have the means with which to decrypt and view the message contents. There are further complexities around the time of access. I might share the information now, but would like to revoke the access if the business environment/relationship changes. It's a very difficult thing to do as soon as one has pressed that "send" button.

7. Optimal logging

The traditional approach to security monitoring has been to consume all available logs across the organisation to provide the best possible "visibility" of the network to the security teams. Whilst this approach can be largely successful, there exist both constraints and challenges. As the number of interconnected devices continue to increase across the organisation, and the tools and techniques of malicious attackers become more sophisticated, the logging required to detect and record all the events risk the creation of a "data swamp" which can overwhelm even the most staffed security operations centre (SOC). The management of a "data swamp" also requires multiple subtasks, from investigating the action, checking logs, referencing threat intelligence, to administrative tasks such as sending emails and constructing reports, and corrective action must be implemented which may also include developing different sets of signatures, updating proxy blacklists, or disabling an account. The balance of optimal logging is a difficult one. Either organisations attempt to consume every available log and risk overwhelming their SOC team, potentially missing malicious traffic amongst the noise of event data, or purposefully constraining their visibility of the network due to artificially imposed financial pressures of MSSPs.

8. Access recertification

An integral process in ensuring the security of an organisation, identity and access management (IDAM), remains a constant challenge with organisations struggling to regularly keep access permissions in check. Corporate user directories are often awash with issues including unlabelled accounts without clear owners, "copy- ids" being provided to new employees without a privilege revalidation exercise taking place, toxic access combinations where users can both initiate and authorise certain workflows, and an inability to effectively audit the process. Revalidation of accounts is a complex exercise that requires business stakeholders to not only to understand the concept of least privilege, but also to be very well aware of various interconnected systems they own and an aggregated risk profile of a role that results from the amalgamation of entitlements. In reality the role owners just click "accept" because the amount and complexity of recertification exercises is unsurmountable.

9. Tooling-based security strategies

As email attachments continue to dominate top positions in the list of methods to breach an organisation, there is a continued focus on securing the endpoints.

The market is booming and architects are finding themselves drowning in a variety of signature, heuristic, white/black list based, cloud threat analysis enhanced end-point protection tools. This challenge is caused by an oversaturated market of tools, lack of standardisation amongst security solution protocols and subsequent inability to properly integrate tools. This challenge is further compounded in that, in comparison to other IT and non IT industries, the IT security industry is relatively immature. Security professionals often obsess over the purchase of the latest best-in-breed solutions, with little consideration for the cost of maintaining an additional tool, which if not done effectively undermines any marginal benefit in terms of threat mitigation. As a result, many security strategies are based on the most popular tooling and not a sound architecture approach.

Redefining Security Architecture

As the technology world inevitably continues to move towards de-coupled, business-oriented web service architectures, enterprise architects will soon be able to go through catalogues of third party services and easily create an ecosystem that transcend the industry boundaries and are uniquely tailored to deliver specific business propositions.This will allow one to address the legacy challenges and deploy security mechanisms at a pace with better agility.

Real Time Assurance (Information Protection)

The days of monthly security report slides and weekly security dashboards are an era gone by.

One of the central benefits of security automatation is the ability to extract a real time view of security posture. Data provided by continous vulnerability scans, configuration compliance monitoring, antivirus, dlp solutions, access control policies and other controls, can be correlated to known threats and SOC processes to provide "top level" executives with a real time view of Cyber risk.

Business Outcome: Centralised security policy that protects sensitive data even after it has left the organisation.

Business Outcome: A dynamic, real- time overview of the organisation's security posture that is based on security risk and performance indicators.