Industry View

Centralizing Enterprise Security Operations and Management

Jeff Ahlerich of Looking Glass Systems looks at transcending the politics

By Jeff Ahlerich, Looking Glass Systems

Page 5

Flexible and Granular RBAC with audit trail facilities: An accessible platform that enables the Central entity and diverse groups of IT administrators throughout the enterprise to collaborate is a most effective solution. It is important that such platforms include granular role-based access levels while also providing accountability and central oversight mechanisms. Such solutions make politically motivated compromises to an ideal Enterprise Security model more acceptable, and essentially can assist in building the case for increasing SOC staff responsibilities. When set up properly, even in a model where the SOC entity has no endpoint remediation authority, an Analyst can effectively communicate remediation prescriptions for detected vulnerabilities or incidents out to the staff that are responsible for such functions. Furthermore, when an audit trail is included in the equation, demonstrative data becomes available for trending how effective and efficient (or not) various IT entities are in their remediation activities.

The platform must also address the entire security management lifecycle vs. solving a single, focused security issue. How effective is a SIEM implementation or Vulnerability Management Platform if operators cannot use them to 1) proactively affect security configuration parameters down to endpoints, or 2) respond in real-time to legitimate threats detected? These systems are terrific at telling you how many hundreds of severe security vulnerabilities may exist in your enterprise, but they offer little to no operational capability when it comes to actually affecting the endpoint security posture. What you're left with is a mountain of report data enumerating a litany of potential vulnerabilities in your enterprise with suggested courses of action to mitigate them — but that's where they stop. It's then left entirely up to the security operations team to figure out how to get everything fixed with yet another toolset or air gap processes. Furthermore, the implementation of such tools removes all plausible deniability regarding enterprise security awareness — there is now likely to be a legal or compliance obligation to fix all the issues these applications have uncovered.

Automating human repeatable workflow processes is what information systems do best. Automation should be leveraged where possible to provide better orchestrated, efficient, and accurately performed configuration management policy dissemination, as well as reactive remediation responses. The air gap processes so prevalently found in the security management programs today, are the unnecessary choke points that counteract so much of the good intent that went into developing a well-planned security program in the first place. Any time the flowchart must rely on people to communicate and physically act, it simply takes more time, and will be less consistently performed. Security Management platforms must introduce more automation for these functions in the next generation.