I’m visiting organizations and companies for miscellaneous projects and I’m often scared by the lack of “visibility” they have on their infrastructure. For years now, new components have been deployed by pure requirements or (honestly) by the business “pressure”: Firewalls, IDS/IPS, (reverse)proxies, WiFi, SSL VPNs, etc. All those solutions, hardware as software, are deployed with their own management tools and sometimes protocols! Once, all these security toolboxes are in place, the next question arise soon: “That’s cool but… How can I be sure that all security components work together?“
A good example is the buzz around the AET or “Advanced Evasion Techniques” released by Stonesoft a few weeks ago. If you are interested in evasion techniques, Stonesoft presented a first research during the 2009 edition of hack.lu. At the moment, their announce looked indeed a major flaw regarding IDS systems, but I decided to not blog about it and left some time run. Why? First, do you have an IDS? Not sure! Small organizations do not have resources (money, time, people) to maintain an IDS. You’re lucky and you have one? Do you rely on your IDS? I hope not! Let’s imagine that your IDS does not detect a malware injected in your network via an advanced evasion technique, your anti-virus solution should do the job… in a perfect world…
This example of flaw could also affect other devices. To prevent this, your security must be based on multiple layers of defense. Adding multiple layers increases also the complexity of their maintenance. To increase your security even more, you have to be the conductor of all those solutions and make them work in a convenient way! How to achieve this?
- Keep them up-to-date (apply the released patches)
- Keep the configurations clean and simple (perform regular “spring cleanups”)
- Centralize all the logs in a unique secured place
- Use tools to analyze the logs and create security incidents
- Keep a documentation of your infrastructure
- Keep your data flows under control
- Keep strong access policies to your data (“least privileges”)
And remember, you don’t need the latest killer-SIEM-solution to achieve this. They are plenty of free tools to build a simple and effective log management solution. Remember, visibility is the keyword!
Hello Scot,
Thanks for your feedback. Always appreciated!
Xavier, I have to completely agree with you. I think we spend too much time showing off our “Ubber” skills and not enough time asking what the business needs. This is true in IT and double true in Info Sec. I also like to remind us security folks that we are not responsible for making risk based decisions. It is ultimately up to the business to make these choices and our only job is to make sure they are making well informed decisions. Knowing that, this whole security this is a lot easier!
Love the blog, heard you on PaulDotCom and turned me on your blog.
John,
Talking to your senior management in terms of “logs”, “patches”, “architecture” is not the right approach (IMHO). For a successful communication, translate your technical threats (“My server is pwnOd”) into business threats (“We lost 10K customers CC”).
“Our e-commerce website is down” => “We lost xxx hours of online revenue
My 0.02€,
Xavier
Hi Xavier,
I’ve been now 3+ years in my organization, and ever since I’ve trying to tell my senior management similar affirmations: asset management and control, simplification of the infrastructure and configurations and update as much as possible. It’s been hell difficult trying to make them understand just these 3 things, so I never really tried going to log management (even free open source solutions). You say you are scared by the lack of visibility that some organizations have of their assets… if only you’d come see ours you’d be triple scared (or maybe not and we’re average).
My point is: what suggestion do you have for us, lowly security analysts to try to convince senior management once and for all about really doing these 3 basic things (and avoid their typical answer of: “Yes, I know we should be doing, but we can’t right now”)?
I don’t like using FUD with IT related senior management, but my opinions always seem to go to the not-possible-right-now zone.
Thanks,
John.