For the past two decades myself and a handful of others have been preaching the fact that organizations must look at security through a different set of glasses. For too many years we’ve been enamored with the bright shiny objects created by Symantec, IBM, Checkpoint and other technology companies where they want to keep the illusion that Info Security is this complicated and ambiguous thing that will always exist as long as there are bad guys with bad intentions. That complexity and ambiguity is what drives ungodly revenues on the back of fear, uncertainty and doubt.
So what does a castle have to do with internet internet. For years I’ve made the analogy that castles and their walls (also called “curtains”) are similar to today’s network security and that we still live in medieval times based on our approach to info security. Around the 11th Century castles were built with high thick stone walls as a means to thwart off the bad guys. When those bad guys learned to scale the walls, the castles began building moats around the castles to add yet another level of complexity to deter the bad guys. But then the bad guys learned to swim and scaled the walls into the castles. So the castles put alligators in the water to add yet another level of complexity to entering their domain. But the bad guys learned to kill the alligators, swim the moat, and scale the wall to get into the castle. The simple fact of the matter is that the bad guys will get in.
When The Draw Bridge Is Down
In today’s world of Info Security, the analogy above represents less than 20% of security breaches AND is where most of today’s security spending is focused. What about the other 80%? Well, those incidents come when the castle’s draw bridge is down and the perceived threat of bad guys does not look dangerous. The problem is that the bad guys paint their coat of arms to the color of the castle residents and simply walk across the bridge without any conflict. When inside the castle they do as they wish. Today, this is what we call social engineering…opening a malicious email attachment or plugging in that USB thumb drive that was given to us at a recent conference.
Knowing that the bad guys will always get in, the real question is how can we discriminate between coat of arms and find the needle(s) in the haystack (DNA if you will) and remove them from the castle before they lower the draw bridge in the middle of the night and allow all the bad guys to simply walk on in?
Well the solution is not sexy nor is it a bright shiny object. Using an analogy from football, it requires basic blocking and tackling and not subjecting yourself to running trick plays or throwing a Hail Mary every down to score. It requires the adoption of best practices and an IT management methodology that instills process and detective controls to ensure service quality and the mitigation of risk and security. A decade and a half of research and benchmarking with over 800 IT executives within 300 different organizations and industries has resulted in our Visible Ops methodology (www.itpi.org). That methodology of IT management stands on three pillars of ITIL (configuration management, change management, and release management).
AN INSIDE OUT APPROACH!
So what does Visible Ops have to do with security? “All security events or breaches start with a change or need for change.” A change can be anything added, modified, or deleted. A need for change is as simple as the need to apply a vulnerability patch and apply it correctly. In order to maintain a high degree of security in your IT infrastructure you must ensure that there is no “Integrity Drift”. Essentially this means that what is running in your IT environment is known and trusted and when new changes or configurations are applied they are authorized and expected. Don’t get me wrong, perimeter security has its place and value BUT should not be allocated the majority of the IT security budget/spending to address only 20% of the problem.
We need to get out of medieval times of constructing new perimeter defenses where only a fraction of all security events and breaches occur. We don’t need to build bigger walls or add more water to the moat. We need to enter into the 21st Century where process and methodology utilize tools that can discriminate at a DNA level what is known or authorized to run and operate in a IT environment.
Time to draw back the “Curtains” and understand the next evolution of IT management and security.