Contact Us
Operational Efficiency Key to Return on Security Investment
by Steven Drew, EVP of Client Services, SecureWorks
There are three primary objectives that security organizations shoot for: Achieve Regulatory Compliance, Enhance Operational Efficiency, and Improve Security Posture. These goals carry obvious and important incentives for organizations to reach them. However, only one of these goals has tangible benefits that easily demonstrate return on security investments. This goal is Operational Efficiency. Yes, it's true that the other two primary goals are extremely important for information security. But if you are looking to find a return on your security investment that can be illustrated by dollars saved, you're going to have to look at whether or not your efforts are improving your security operational efficiency.
Ask any engineer, whether fresh out of college or a year from retirement, what drives efficiency in a system. Their answer will consist of one word: processes. This answer may seem simplistic, but when you think about it, all things done can be broken down into steps to form a process. Even the individual steps that form a process can be broken down into smaller steps, making that individual step a process in itself. Thus, using simple logic, it would follow that the best way to achieve a goal would be to make the individual processes affecting that goal as efficient as possible. But, in this case, our good friend simple logic has led us down a perilous path. Following that path carries a significant, though not obvious, risk. Simple logic has us headed on a course for "local optimization", or as I like to call it, "ignoring the big picture."
Local optimization calls for very strong focus on the efficiency of the individual processes involved in reaching a goal. What is frequently lost in all this focus is the actual progress being made towards the goal. Bad things tend to happen when this occurs. A classic example of this on an organizational level can be seen in many purchasing departments across America. Let's pose a question: How are purchasers evaluated? In most cases, purchasers are evaluated by how cheap they buy stuff for the organization, i.e. their efficiency. So in many cases, purchasers will go out and buy parts in bulk to save money. Sounds good if you're the purchaser right? You purchase a year's supply of parts at a very low rate, increasing your efficiency and making yourself look good all at the same time. So the purchasing process is very efficient and the organization is getting parts at rock-bottom prices. Meanwhile, the organization as a whole has lost flexibility and sustained higher costs. But how is that possible? Well, the organization lost flexibility when it tied up extra money buying more parts than it currently needed. It also lost flexibility in its manufacturing process. If a better product design was engineered that used a different part, the factory can either scrap the old parts or keep using the old design. Either way they lose money that could have been spent elsewhere. But at least purchasing looks good right?
So how does this all tie in to operational efficiency in your security efforts? Well, like the organization itself, information security is a system made up of processes. If you want your security operations to be as efficient as possible, you must approach them as a system, not just individual processes. For operational security activities, this system is called Threat and Vulnerability Management. There are five main processes that go into this system: Baseline/Discover, Prioritize, Mitigate, Maintain and Monitor. For the Threat and Vulnerability Management system to reach its full efficiency, all of these processes must work together seamlessly. This requires a full integration that maximizes the positive impact that each process has on the others as shown by the following Vulnerability Management illustration by Gartner Group:
Information gained from one process must be used to enhance the efficiency of the other five. A good example of this deals with the information gained from the Baseline/Discover process. Let's say that your organization is conducting frequent vulnerability scans of your security infrastructure using a stand-alone scanning solution. In that infrastructure lies an IDS sitting in front of a web server. In true IDS fashion, every time that server is targeted by an IIS attack, it sounds the alarm and someone is pulled from the security team to handle the situation. A few hours later, that person comes back and tells you that yes, there was an attack, but that server was already patched, so they were investigating an attack that had no chance of compromising the critical asset. To confirm, you check the latest vulnerability scan report. Sure enough, you just wasted the entire morning trying to mitigate a threat where none existed. If your scanning solution was seamlessly integrated with the other processes in the Threat and Vulnerability Management system, you would have immediately recognized that the IDS alert was a false positive and would have ignored that IIS attack. Your security personnel's morning would have been productive, increasing your organization's operational efficiency by reducing time wasted on non-threatening alerts.
But using the information gained by each process to strengthen the other processes in the system isn't all that happens if your system is seamlessly integrated. The improvements made on the other five processes once again feed back into the system, creating a very powerful cycle of continuous improvement. This cycle allows each individual process, as well as the system as a whole, to reach a level of operational efficiency that is unattainable without integration, maximizing the return the organization receives from its security investments.
Bottom Line: Maximum ROI for information security efforts can only be achieved through full, seamless integration of operational processes into a Threat and Vulnerability Management system, providing the highest level of operational efficiency possible, while also improving the other objectives of Compliance and Security Posture.
Internet Threat Update
Provided by SecureWorks' Security Research Team
This Month's Threat Overview: Botnets Look for New Vectors
Botnets, long the scourge of the network administrator, have run into a problem: the resource pool of vulnerable Windows machines is slowly shrinking. This is due in part to two factors - one being the lack of any new critical network-based vulnerabilities in Windows workstations since the LSASS exploit, and two, a general move toward Windows XP SP2, which makes exploitation of such vulnerabilities far more difficult.
But the owners of botnets are not content to merely fade into oblivion - instead they are looking to branch out into other means of spreading. The three new vectors we are increasingly seeing used are:
- Instant messaging
- SMTP
- IE exploits
The IM and SMTP vectors are little different than viruses that spread using the same methods - the attacker is relying on social engineering rather than an exploit. There is little originality to the code used in these vectors - in fact, most SMTP-spreading bots are simply using a repackaged copy of the MyDoom source code. The IE exploits being used are also nothing new; spyware/adware vendors have been using them for some time.
The prepared network administrator will have already deployed defenses against these new vectors because they are well-known. However, even well-known exploits tend to have a potential victim pool in the millions. In case you haven't already considered the attack vectors above, here are some ideas to look at, although they may not be applicable to every environment:
- Prevent IM clients from talking to public IM networks. If workgroups internal to your company require IM for intergroup communication, consider setting up a private internal IM server to serve these clients.
- Ensure internal mailservers have adequate virus scanning. Consider disallowing executable attachment types outright, as well as archive files containing executables.
- Ensure all browser software is up-to-date and consider banning outdated browsers by user-agent at the HTTP proxy.
Fortunately at this time, the number of groups who have access to the bot source codes with the newer vectors is small. However, this is expected to change as the sources are distributed more widely, and these threats will become more commonplace. Now is the time to take a look at your network and determine where you are most susceptible to a botnet attack.
SOC War Story: Stemming the Tide of Information
Business Problem
Flexibility is a critical need for businesses today, and network security is no exception to the rule. Security professionals are forced to use hardware and software from multiple vendors to achieve the highest level of security for their needs. Because of this, many IT professionals have found it difficult, if not impossible, to manage the operational needs of a complex, best-of-breed network security system. This is exactly the situation that was faced by the security team of a Fortune 500 financial corporation. To meet the demands of the rapidly evolving security landscape, their security environment had grown in complexity to a point where it was comprised of many best-of-breed "point" solutions with little integration between them.
As a result, their security team was struggling to keep their heads above the rising demands of their security environment, while their security posture continued to quickly deteriorate. Faced with this dilemma, the company considered their options. They could scrap their entire network security system and install a single vendor system throughout their organization, eating the cost of the previous investments made and settling for potentially weaker solutions. Or they could continue to do what they have been doing, basically "fire fighting" whichever issue was the hottest. Or they could implement a solution that would integrate their security infrastructure and operational security processes.
Solution
The Fortune 500 financial corporation decided the last option was most appealing and contacted SecureWorks. Within days, SecureWorks integrated its Sherlock Enterprise Security Management Platform into the corporation's network without replacing any components of their security system. SecureWorks' team of 100% certified SANS GIAC analysts then began working with the client's security team to analyze security events, conduct vulnerability scans, stay on top of emerging threats and manage their security infrastructure. Within a few days, the client's network was secured, while running smoothly and efficiently. SecureWorks effectively bottlenecked the swelling operational demands, allowing the client's security team to handle their other pressing strategic security needs.
Using its Sherlock Security Management Platform, SecureWorks was able to fully integrate the client's best-of-breed security infrastructure and operational processes into a system. Using the SecureWorks Portal, the client's security team was able to gain a real-time, holistic view of their enterprise-wide security, status as they had never seen it before.