Cheesy headlines aside, Netwrix, a firm that focuses on change and configuration auditing, has published a curious list of steps that are said to be the key in preventing a data breach.
Yet, if these three steps are all that's needed, why hasn't everyone in InfoSec done this already and called it a day?
Netwrix makes some valid points, but security isn't as simple checklist and if there was a magical list of three things, I'm sure this list would have been sold many times over long before now.
If I'm honest, what irks me about their claims is that there is no way the Netwrix list will prevent security incidents or breaches– it might make them more difficult to pull off, but they'll still happen. And yet, somewhere someone might see their claims and think the answer to everything is change and configuration auditing.
Ensure that changes are documented.
No shock here, that's the business they're in. They have to promote themselves and the product.
However, larger firms like CA and BMC have been doing change auditing for years, and breaches still happen. Netwrix says that the "main key to visibility across the entire IT infrastructure is to keep a complete audit trail of system activities and changes made."
Fair point, but visibility isn't all its cracked up to be.
For example, the OPM knew where the contractors were and what assets said contractors had access to. Did that matter? Not one bit.
Granted, the OPM might be a bad example here, given that change management is something they're not really up to speed on, but it's the most recent example of a breach where assets and changes to them were monitored on some level.
Control access to sensitive data.
Now this is an item OPM should've had.
Access control is an issue the inspector general has been pestering the OPM about for years.
While they've started the process of controlling access levels, it was too little, too late. The compromised contractor credentials allowed the OPM attackers full access.
"Since privilege abuse remains the hardest to detect violation, restrict access to your most valuable assets only to those who need it and keep an eye on users with extended privileges," Netwrix says.
True, this is a valid point.
However, it will not prevent a breach alone, nor will it prevent a breach if it's tied to change management. In fact, privilege is the type of control administrators love to hate.
They love the value it offers to security policies, but hate the fact that they have to give it up any time an executive or business unit demands it. Think about the number of gold images that are delivered to remote workers, or the laptops issued to senior staff, with full administrator access included. Stressful isn't it?
Privilege is something controlled on a sever-level for the most part, and even then it isn't all that helpful, because everyone in IT has access to the Excel file with passwords on it.
Audit and evaluate your environment continuously.
Why mention change monitoring a second time, even if it is passive?
Auditing should be counted as a repeat in my opinion, because you can't monitor and track changes on something you didn't know existed. But Netwrix proves my point for me, they are repeating themselves.
"Continuous auditing of user activities and changes made to data and system configurations helps to avoid critical mistakes that might potentially damage security and service uptime. Analytics built upon this knowledge helps to detect security incidents and find the root cause of each violation. In addition, continuous monitoring provides irrefutable proof that your security policies are in place and always have been), which is very handy when needing to pass compliance audits."
So it isn't three steps, it's two really. Change monitoring and access controls.
So if you don't have these two items, does that mean you'll be breached?
No, it doesn't. However, it does make things easier for your attacker. After all, a network is best protected when the organization knows where all the assets are, and who has access to them.
Going back to the OPM, they knew where some of their assets were, especially the systems that were compromised, and they knew what credentials were compromised too.
The vendor demo that detected the breach was focused on known systems and accounts, so one could argue that on a basic level the OPM had the two controls mentioned by Netwrix in place, - and yet here we are.
Clearly the list put out by Netwrix is flawed.
While each of the three (two really) items have valid uses for IT and InfoSec operations, they're not silver bullets together or separately.
Truthfully, there is no magical list.
Security isn't easy, and the more a business grows, the harder security gets. Checklists are not going to solve anything. Even if they could, you'd still need more than two items.