It's not uncommon. You're called in to perform some level of penetration test within an enterprise, and before long, you're describing some level of significant compromise to the client. After the disbelief and shock you begin to dig into how this could be possible. The client assures you that their team is working hard. In fact, they're practically killing themselves securing the network.
What's the problem?
The time and effort of the organization is completely consumed by tactical activities focused on point problems and solutions. Is a system vulnerable? How can I tell? What should I do? What other systems are like this one? How can I tell these systems are also vulnerable?
Attacking the problem of enterprise security in this manner is time consuming and costly. Furthermore, it typically doesn't lead to improvements in the company's policies and procedures. Rather, the experience of the individuals can lead to a feeling that things are improving. Lessons learned are discussed with management. Tasks take less time to achieve. Unfortunately, the improvement is only incremental, and relative to ad-hoc systems. The environment is still focused on tactical problems, and the knowledge is tribal; held with the people. When they leave, the system will have to teach another expert.
When this is overlaid on top of traditional trends in funding and attention paid to security departments the situation becomes more untenable. When is the most attention paid to security? Immediately after an incident. The fire drill begins, fingers are pointed, and stress levels are high. Suddenly full buy in from management comes with a substantial budget to fix the issues that are seen as most critical. As time passes from the original event, point solutions that have sprung up are not maintained, or the rough edges from rapid integration are not smoothed out and fully adopted into the larger system.
The pressing nature of this immediate threat can lead to mistakes in how to address the larger issues. Widely scoped preventative measures are bypassed in favor of short term quick wins.
Everyone picks the low hanging fruit and nobody takes time to build a ladder.
The result is highly tasked people, large expenditures with minimal ROI related to overall security posture, ad-hoc operations, and tribal knowledge of the systems. Everyone agrees there are better ways to do things, and they'll get right on it if they have the time.
So what's to be done?
Organizations need to have the operational discipline to stay focused on the security of an organization after the initial shock of the incident has worn off. Strategic initiatives should be investigated and run in parallel with tactical issues. Given a conflict, the strategic initiatives should take precedence. In turn strategic projects must be run with clear goals, deadlines, and expectations communicated widely to the tactical teams. Of the two, strategic groups should be held more tightly to their advertised goals and time lines.
What are the steps to develop initiatives?
Many organizations may feel that they already are working on strategic initiatives. After all, we're installing a Vulnerability Scanner so we don't have to scan each system anymore; isn't that strategic? Possibly, depending on the homework you've done.
- Have you given your tactical teams the time, resources, and cover to perform root cause analysis?
- Have you assigned a person or group to aggregate root cause findings and analyze them?
- Has management performed a risk assessment for the business to understand which information and processes are critical to operations, and which are not?
- Have you compared the risk analysis with the root cause findings to determine which items, if fixed or changed, would prevent the largest number of point issues while still supporting business processes?
