Industry View

Centralizing Enterprise Security Operations and Management

Jeff Ahlerich of Looking Glass Systems looks at transcending the politics

By Jeff Ahlerich, Looking Glass Systems

Page 3

The analysis of a real world example where this type of political compromise exacerbated an otherwise manageable security incident illustrates why this issue is so critically in need of address. A SOC Analyst, through his Security Event Management dashboard, detected the potential outbreak of a virus happening within a sizable enterprise branch office department. The events he was observing were primarily generated from a signature based Network Intrusion Detection sensor deployed within this remote segment of the network. For politically driven reasons, the SOC personnel in this instance had no direct access (even read-only) to the potentially affected endpoint systems in this environment, or to the network switch infrastructure that could be utilized to isolate affected endpoint systems on a quarantined VLAN.

In other words, this SOC entity had no way to independently
1) validate that the events detected were in fact authentic (i.e. NOT false positives, which NIDS are notorious for producing);
2) determine which additional endpoints in this segment were also potentially susceptible to the outbreak, or
3) do anything to efficiently mitigate / remediate the problem. The SOC's hands were tied, and their official protocol filled with air gap processes, which delayed action.

The end result of this incident was that the virus failed to be contained, and it spread rapidly outside of the branch office throughout the entire enterprise within a couple of days. This SOC organization did not have the authority or technical capability to act independently on the actionable intelligence at hand, and could do nothing but watch the virus spread like wildfire on their consoles and launch emails and phone calls to the distributed IT resources in the field. Finally, when all was said and done it took about a month to clean up the damage and restore the enterprise to normal functions. Thousands of man-hours were spent on the effort to remediate affected systems, and productivity of the core business mission was severely impacted.

Imagine a Fire Chief watching over a dry forest as a lightening storm breaks out overhead. He's got his fire truck but no hose or water. His team of Firefighters is in position to take aggressive and necessary measures, but their hands are completely tied by political protocols. Instead, the only recourse is to start radioing to Policemen and Paramedics dispersed throughout the forest, ask them to suspend their present duties, and come rapidly to the scene of the lightening strikes to become temporary Firefighters themselves; asking them to execute tasks that they were not trained to perform, do not have any desire to perform, do not have the right tools to perform, and cannot perform without their regular, mission critical duties taking a back seat.