Centralizing Enterprise Security Operations and Management

Jeff Ahlerich of Looking Glass Systems looks at transcending the politics

1 2 Page 2
Page 2 of 2

Flexible and Granular RBAC with audit trail facilities: An accessible platform that enables the Central entity and diverse groups of IT administrators throughout the enterprise to collaborate is a most effective solution. It is important that such platforms include granular role-based access levels while also providing accountability and central oversight mechanisms. Such solutions make politically motivated compromises to an ideal Enterprise Security model more acceptable, and essentially can assist in building the case for increasing SOC staff responsibilities. When set up properly, even in a model where the SOC entity has no endpoint remediation authority, an Analyst can effectively communicate remediation prescriptions for detected vulnerabilities or incidents out to the staff that are responsible for such functions. Furthermore, when an audit trail is included in the equation, demonstrative data becomes available for trending how effective and efficient (or not) various IT entities are in their remediation activities.

The platform must also address the entire security management lifecycle vs. solving a single, focused security issue. How effective is a SIEM implementation or Vulnerability Management Platform if operators cannot use them to 1) proactively affect security configuration parameters down to endpoints, or 2) respond in real-time to legitimate threats detected? These systems are terrific at telling you how many hundreds of severe security vulnerabilities may exist in your enterprise, but they offer little to no operational capability when it comes to actually affecting the endpoint security posture. What you're left with is a mountain of report data enumerating a litany of potential vulnerabilities in your enterprise with suggested courses of action to mitigate them — but that's where they stop. It's then left entirely up to the security operations team to figure out how to get everything fixed with yet another toolset or air gap processes. Furthermore, the implementation of such tools removes all plausible deniability regarding enterprise security awareness — there is now likely to be a legal or compliance obligation to fix all the issues these applications have uncovered.

Automating human repeatable workflow processes is what information systems do best. Automation should be leveraged where possible to provide better orchestrated, efficient, and accurately performed configuration management policy dissemination, as well as reactive remediation responses. The air gap processes so prevalently found in the security management programs today, are the unnecessary choke points that counteract so much of the good intent that went into developing a well-planned security program in the first place. Any time the flowchart must rely on people to communicate and physically act, it simply takes more time, and will be less consistently performed. Security Management platforms must introduce more automation for these functions in the next generation.

In the "real world" example provided earlier, our Security Analyst's hands were politically tied, and he could not perform remediation activities (even if he had the technology to do it). Recall that in this common example, the SOC Analysts were just that—Analysts only. They had no operational authority of any consequence as it related to actual preventative endpoint security posture maintenance or remediation. Their job was to drink from the fire hose of aggregate security event data and to separate authentic incidents from false positive events. Their job was to formulate remediation prescriptions for affected devices, to hunt down the appropriate system administrators for such devices, and to disseminate the developed remediation prescriptions. Finally, their job was to follow up with these individuals until it could be verified that the remediation activity had been successfully applied.

Imagine if an enterprise security management platform were in place that could facilitate and control the delegation of specific roles and the collaboration across these groups, as well as authorize and track activities among individuals and groups of systems with intuitive ease and simplicity.

Conclusionperceived threat of reduced control over their environments, or simply a natural resistance to change.

In a perfect world (and typically as drawn up on paper) centralization of the enterprise security operations function is straightforward to implement — and it generally is, until you factor in the human elements. In reality, transitioning to the centralization model will always face certain operational challenges from potentially impacted interests for a variety of reasons. These interests respond to centralized security management models with a predictable reluctance to support the implementation due to a

The Centralized Enterprise Security model should not be characterized as a false panacea by any means because of these challenges. Instead, it should be understood that the model is a politically ambitious one to achieve, and why. For these initiatives to have the best chance at realizing the efficiency and/ or effectiveness gains they promised to deliver in concept — the solutions adapted at their core must be in a position to accommodate. The security management platform at the root of their design must promote organizational cooperation, for only by leveraging platforms with such capabilities can politically motivated barriers be easily overcome. Empowering and accommodating not only the central security entity, but also any other IT organization with significant interests at stake, promotes inclusion, cooperation, and enables the centralized security model to be a success.

When IT organizations are empowered, encouraged, and held accountable to positively affect the enterprise security posture with an intuitive and powerful management platform that coordinates and distributes individual responsibilities effectively, and under control - half the battle is won. By adapting a management platform that offers a pragmatic method to assess distributed endpoint systems without disruption by providing an accurate security posture awareness; proactively protect endpoint systems in a coordinated, organized fashion through scalable group policy deployments; detect authentic incidents in real time without flooding operations with oceans of false positives; and respond immediately, effectively, and in scalable (automated when appropriate) fashion down to the affected endpoints. A Unified Endpoint Security Management platform, as described, is a catalyst for overcoming the political obstacles that inherently exist, and provides a clear path for a vastly improved enterprise security posture and the always sought after improvements to the return on investment. ##

Jeff Ahlerich is Vice President and Co-Founder of Looking Glass Systems.

Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
22 cybersecurity myths organizations need to stop believing in 2022