The Best Security Reacts Quickly to Change
October 22, 2009
I’m certainly not above lifting verbatim research that I believe is helpful to security and compliance practitioners. And the title of this post was lifted from Gartner’s John Pescatore’s post entitled “Who Moved My Soap – The Best Security Reacts Quickly to Change.” Now I could go forth with all sorts of don’t drop the soap in DisneyWorld jokes, but that would obscure the real point, which is not about Pescatore’s hygienic preferences.
Security professionals are not driving the ship. The business folks are. So security folks that are resistant to the ebbs and flows of business will not be successful. We have to face the reality that we (as security professionals) need to adapt our defenses both to the actions of our adversaries, as well as the reality of our businesses. Budgets come and go, projects are re-scoped, and priorities change. That’s business. That’s life. Deal with it.
But you cannot adapt in a vacuum. In order to react quickly (which sounds very similar to my personal REACT FASTER mantra), an organization needs to understand what they are looking for. That means they need to be monitoring as much as they can, establishing what is “normal” in their environment and then watching for what is NOT normal. Things change all the time, but if you don’t know HOW they are changing, there is no way you’ll be able to understand WHY things have changed, and therefore you’ve got no shot to address the issue…before it’s too late.
Oh yeah, did I mention I’m a big fan of security monitoring?
Let’s have a candid discussion about rogue devices, shall we? You know, the unauthorized access point plugged into a port in a conference or under someone’s desk. Or maybe the network behind the off-shore contractors you have maintaining legacy applications. Perhaps someone is running a side business during work hours on a device they bring from home ON YOUR NETWORK.
Each of these scenarios (regardless of how contrived) happen each day. And every new device presents a significant risk to your environment. Which means you need to be constantly watching for these devices and make sure they are not wreaking havoc. In fact, this is one of the key use cases for network access control (NAC). Of course, that technology is struggling, but it’s not because of the lack of a problem to solve.
So if you are looking at a log management or security information and event management (SIEM) product, won’t that tell you about new devices? Won’t it see something funky and flag it? Well, actually no it doesn’t. Log Management requires logs and your typical rouge device isn’t too interested in forwarding its logs to much of anything. That’s right, each managed device needs to be configured to push log files to the log management product. If that doesn’t happen, the SIEM is blissfully unaware anything is going on – until a number of managed devices are compromised – which is too late.
Yes, network devices (at least the right ones) can detect rogue devices and potentially quarantine those until the proper authorization is presented. But what if you don’t have NAC or can’t afford to upgrade your entire switching infrastructure? That’s right, you need to go beyond log data.
As mentioned in reason #4 about network flows, the network never lies. So we’ve got to look for new network devices and then kick off a scan to figure out what it is and whether it’s authorized. eIQ SecureVue makes that pretty simple. You can set a policy to check for any new IP addresses within a specific time period. Then from right within SecureVue, you can kick off a vulnerability scan to figure out what is the story with that device. Once you figure out what it is, then you can understand whether it should be there.
Additionally, you can set network flow policies to check for traffic leaving the network from unmanaged devices. This kind of extrusion monitoring will tell you if a device is moving data off the network. Maybe they should be, maybe not. But the point is to gain situational awareness of what’s happening in your environment. And just looking at the log data is not going to get you there.
eIQcast Episode 20: Seeing Through the Clouds
September 30, 2009
In this the 20th episode of the eIQcast, eIQnetworks SVP of Strategy Mike Rothman discusses some of the challenges of cloud computing with Ross Levanto. Mike goes into the issues of maintaining visibility when networks and systems reside in someone else’s data center, and some of the mechanisms eIQ is adding to SecureVue to help customers address this issue.
Yesterday eIQ announced a new capability within SecureVue to provide enhanced visibility for virtualized data centers and cloud computing models. SecureVue now includes a mapping feature which allows security professionals to keep track of which virtual machines are running on specific hardware devices, which facilitates the investigation and remediation for issues within a virtual data center. Check out the release for more detail on http://www.eiqnetworks.com.
Running time: 11:40
Direct Link: http://eiqcast.podOmatic.com/entry/2009-09-30T05_17_07-07_00
Don’t be like Dick and check out eIQ’s video at logdataisnotenough.com
Security Best Practices, Linkous-style
September 25, 2009
Secure Your Stuff or you'll be a pillar of salt
eIQ’s own security and compliance evangelist John Linkous took some time to step away from his bully pulpit to contribute a list of practices for Linda Musthaler’s Network World column. Although he’s no Jim Bakker, John can sling security fire and brimstone with the best of them. He provides some good food for thought for any security professional. Check it out and be converted.
