Security is a key operational consideration for organizations today because a breach can lead to significant losses of revenue, reputation, and legal standing. An entity’s environment is an ecosystem comprised of users, roles, networking equipment, systems, and applications coming together to facilitate productivity and profitability as securely as possible. An environment will never be 100% secured against all threats. The next best option is to be proactive to defend against known attacks and to provide real-time, adaptable monitoring capabilities to detect and alert on behaviors outside of what are considered normal in the environment.
This blog series will present suggestions and guidelines for building and maintaining an environment for administrators to defend against and mitigate threats.
Security is no longer just an overlay to a network topology. Security methods provide protection for data, access, and infrastructure, and should be defined and deployed based on a carefully defined security policy. An effective security policy integrates well-known protection methods into a network in a way that meets both security standards and the business goals of the entity being secured.
This is facilitated by defining use cases representing key business drivers, such as:
- Improved efficiency through streamlined security processes reducing operational expenses in terms of time, money, and personnel
- Increased productivity through well-defined and applied policies correctly balancing the level of access with perceived risk
- Better agility allowing for efficiency with respect to the implementation of compliance and regulatory objectives, migration strategies, and risk mitigation techniques.
Identifying use cases is often the catalyst for a security policy review. Remember, each entity within an organization will have its own objectives. Even if things look typical on the surface, to sell the security policy, its benefits must be apparent to each stakeholder.
Here are some common use cases and relevant details a security policy should outline.
- Performance and Availability
- SLA requirements
- Capacity and potential growth
- Efficient use of bandwidth and device resources
- Planning for redundant designs
- Compliance or legal requirements
- Compliance demonstration during audits
- Granularity of monitoring and control
- Detect suspicious behavior of log sources
- React to expected host/log sources not reporting
- Installation of agents on endpoints or collectors
- Consolidation of log sources for a single view
- What is the cost of downtime?
- Acquisition and placement of management tools
- What key events need to be highlighted?
- Application of analytics, rulesets, and alerts
- Escalation chain to handle alerts and incident response
- Automated controls versus user intervention
- Issue reporting mechanisms and management protocols
- Support costs: in-house, outsourced
- Centralized repository versus per-device
- Need for multiple levels of control
- Automation of distribution
- Change management processes
- Vulnerability assessment strategy
- Acceptable Use Monitoring
- Employee monitoring
- Analyzing user behavior to detect potentially suspicious patterns
- Analyzing network traffic to pinpoint trends indicating potential attacks
- Identifying improper user account usage, such as shared accounts
- Publishing policies for the use of the organization’s resources
- Develop a baseline document to outline threshold limits, critical resources information, user roles, and policies, and apply this to a monitoring system, service, or playbook
- Legally acceptable method of handling breaches
- Threat Playbook
- Identify the threats and attacks of concern (could be industry-specific):
- Detecting data exfiltration by attackers
- Detecting insider threats
- Identifying compromised accounts
- Detection of brute force attacks
- Application defense checks
- Malware checks and update process
- Detection of anomalous ports, services, and unpatched hosts/network devices
- Incident investigation process
- Proactive threat hunting
- Engaging legal entities and incident response personnel
In summary, a security policy builds the foundation for a secure network, but it must be valuable and enforceable to an organization and all stakeholders.
In the next blog in this series, we’ll look at how use cases can be mapped to the components in the environment.