Industry View

Centralizing Enterprise Security Operations and Management

Jeff Ahlerich of Looking Glass Systems looks at transcending the politics

By Jeff Ahlerich, Looking Glass Systems

Page 2

Centralizing Information Security operations in the large, complex and diverse Enterprise can be a contentious process. Just when you think you've got your all the stakeholders on board - a mutiny breaks out in the field or a peer IT management division finds that key elements of the initiative conflicts with their own agenda. The process of security centralization is itself predisposed for conflict, and the first step towards a successful transition is to understand that the reasons for this are largely human nature.

If an entity is going to go though the effort and cost of transitioning to a centralized posture to better mitigate the overall risk exposure of its enterprise, then the staff hired to perform these operational duties must be afforded a certain level of trust and authority to be truly effective. This is not to say that the specialized security personnel need to employ heavy-handed tactics to get the job done effectively, nor do they need unrestricted keys to the kingdom. What they do need, however, are adequate levels of authority with the appropriate oversight measures in place. An effective centralized Security Program is able and empowered to respond to actionable intelligence nimbly and without undue restrictions, or "red tape" when a legitimate threat to information presents itself, and is kept from overstepping its bounds via programmatically implemented limitations and transparency - checks and balances, if you will.

What we oftentimes find in practice, however, is that while a great deal of time, money, and effort is invested to establish trust relationships for Security personnel (clearances, background checks, etc) individuals assigned the duty of safeguarding the enterprise from cyber threats are typically not leveraged to their full extent due to entrenched opposition and the turf battles that ensue once a centralized program enters its serious planning and implementation stages. In other words, the ideal centralization models drawn up on paper are oftentimes degraded and adopted in a manner that will appease the entrenched interests of peer IT groups who notionally believe that the program represents a threat to their ability to manage and/or control their own environments.

Whether it's a NOC manager who won't allow a security entity to effect changes on network infrastructure without imposing significant red tape processes, a conflict with the Desktop Support group over an endpoint remediation prescription that requires "unauthorized" system configuration modifications or patches, or the influence of a remote Field Site Systems Administrator who is loathe to provide any outside access to "his systems". In each case, the resistance of the peer IT group to fully embrace the centralized security concept can lead to the program implementation being undermined before it gets off the ground. Security Operations organizations face these kinds of entrenched interests every which way they turn when it comes to matters of implementing proactive protection mechanisms or responsive remediation operations. Oftentimes the result can be the centralized SOC entity being reduced to an incident detection and reporting center only. And because of prevalent political opposition involved with providing SOC entities access to the distributed networks/systems, a myriad of more passive (read: politically viable) enterprise security monitoring solutions have cropped up operating at the network layer - Network Intrusion Detection Systems (NIDS) being the best example.