Security Concerns In The Corporate Environment
Last Updated: 25 Apr 2001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*** PLEASE NOTE: Link(s), If Provided, May Be Wrapped ***
These are some of the issues I have contended with in an
effort to bring enhanced security to various organizations.
This document is also available as a PDF file:
• http://KB.UltraTech-llc.com/Docs/?File=SecConcerns.PDF
Briefly, the major concerns are:
AWARENESS & COMPREHENSION
SCOPE
TOO MUCH EMPHASIS ON THE BOTTOM LINE
POOR METRICS
INADEQUATE TOOLS
AWARENESS & COMPREHENSION
From the perspective of awareness and resources, security
is like the IT of IT. That is to say, it is a massive
cost center within a cost center. Although we seem to
have finally gotten to point where we can begin to show
productivity and performance gains (ROI) for other facets
of IT, there is no real ROI for security. All executive
see is a pit into which they're dumping money, and for no
apparent reason.
Every day that you go unhacked (or, more precisely, every
day that you fail to observe or detect a hack) is a day
that they feel they've spent money for nothing. Imagine
if I came to your home and told you that I could provide
you all the benefits of a secure, fully staffed bomb
shelter, for only $100.00 a month. You'd laugh me out
the neighborhood. (I can already hear Mr. Burns saying
"Release the Hounds!")
This is how Senior Execs appear to feel about Security.
(The only area of IT that may have a worse PR situation
is Disaster Recovery). One reason for this is the lack
of any highly sophisticated Correlation Engines for
dealing with Real-Time data. (I'll get back to that in
a bit).
SCOPE
What are we trying to secure? And from whom?
Most folks don't know the answer to either question,
and so much pain and anguish ensues. This is a common
problem with many projects, but with security it is
deadly, because the usual workarounds are impossible.
BOTTOM LINE EMPHASIS
Many executive already have enough difficulty attempting
to understand where, and how best, to use technology, and
so security concerns completely overwhelm them.
I've seen plans for IDS implementations squashed because
it was felt that "we haven't had any breaches in the past
year" although the fact was that we couldn't *detect*
anything short of someone physically stealing all of our
equipment due to the lack of the very IDS under discussion.
When performing a risk assessment, the bean counters
always make lowball assumptions concerning potential
loss, making the proposed system seem hideously expensive
by comparison. You hear silly things like "at most, we
would be down for a single day" with no calculations
going toward Overtime, Comp Time, transportation costs
for early/late workers, or (most importantly) loss of
consumer confidence because of a strategic break-in.
Thus, a guaranteed saving of $1 million per year with
Plan B over Plan A, immediately outweighs the wealth of
information and flexibility provided with Plan A, since
"at most, we are likely to see only one serious breach
over the 4 year period".
Additionally, security slows down everything. No project
is unscathed. This means that the company cannot push
its products/services out to market as fast as they want.
So, to go back to my Bomb Shelter analogy, not only will
I ask for a monthly fee, but I'm going to restrict your
movement within your own home every now and then. Want
to move your furniture? Hmmm... That might affect the
bomb shelter. Want to buy a new stereo system? Hmmm....
Only if it follows these guidelines...
POOR METRICS
You cannot adequately protect against what you do not
know, any more than you can tell how long it will take
you to travel to a destination that you are unsure of.
Any good security system *requires* that a baseline be
performed so that you have an understanding of what
"Last Known Good" is supposed to look like.
And metrics cost money (see "BOTTOM LINE EMPHASIS")
INADEQUATE TOOLS
This is pretty much a function of the industry being
young, and somewhat misguided. Companies are looking
for the savings and potential gain of seamless
integration of One-Stop Shops, but I believe that this
is a mistake. The security industry is not mature
enough for anyone to be stuck with the philosophy of
any one firm. Plus, at this stage in the game, there
are going to be mergers and acquisitions, so you could
easily find yourself with a new Security shop, trying
to migrate you to the rest of its suite. This is bad
enough when you're using them for ONE of their products
(Best of Breed strategy), but it is hideous if your
eggs are entirely in one basket.
The tools have to improve, and we need one or more
companies to start creating the "HP OpenView" of
Security Management. A framework that lets you put
all the other pieces together, no matter who they're
from. So far, it seems that eSecurity is going that way.
We need tools that are *like* SiteScope and NetIQ and
BMC Patrol for security. I know that some of these
tools have security modules, but they were designed to
be standard monitoring tools, and lack the ability to
deal with some of the nuances of security.
OVERALL MANAGEMENT ISSUES
The major problem with security is that there are lots
of gray areas. If you're monitoring a server in the
conventional way, then either the server is up, or it's
down. You can easily define thresholds for uptime,
performance, etc and push that info to a screen that
gives folks a quick view of the health of the system.
Assessing the Security of that same server, however,
is not nearly as easy. Yes, there are clear breaches
of Security that can be recognized and graphed (DoS
attack, for instance) but there are many more subtle
things that cannot be determined as easily. Management
wants immediate notification, but some things take
time and correlation. Does a 5% increase in traffic on
a particular server represent anything? What about a
change on a different box? Or a few bad packets?
What might seem innocuous individually, might be a
distributed attack when taken together.
This also exposes the other ways in which a company is
not using its IT resources to the fullest. Is Capacity
Planning the norm? Are Disaster Recovery procedures
available, with periodic testing? Management support
for these *intangibles* will go a long way to providing
the essential infrastructure necessary for a comprehensive
security effort.
Today, because of all the other difficulties mentioned
above, there is a tendency for organizations to treat
security like any other project and wait until there is
a problem, then try to fix it. I call this the dreaded
"0-60 in 1 second" mentality.
This is VERY bad for oh, so many reasons. The normal
IT tricks-of-the-trade that we have all learned for
getting around clueless management will not work here...
#1 - When it comes to, say, server capacity, a good
Systems Manager can get around these management
issues by quietly ordering extras, and prioritizing
equipment to be scavenged in an emergency.
This won't work with an inadequate security implementation,
because you need to establish a baseline before the system
can be useful to you. After all, how do you know what
constitutes "normal network traffic" if you haven't had a
chance to observe it for a few months?
#2 - Getting buy-in from all the affected groups is
a nightmare. Management won't give Security
groups the necessary power (lack of understanding)
and without it, you're forced to plead with each
and every business unit, including IT, to be able
to do your job. You can get a stroke just thinking
about it...
WHAT WE NEED FROM SECURITY TOOLS
Instead of grand 5-year plans, I would like the security
industry to find key problems (short-term problems) and
solve them today. Management needs quick hits, and while
we're trying to educate them that there's much more than
that, we need to get some easy wins.
Someone needs to tie Antivirus into the Security mix.
Not just by offering a product, but by allowing admins
to gauge how many viruses attacks they prevented and
how successful they were in combating the ones that got
through. Viruses are the easiest thing for management
to grasp in the security realm, so we should take
advantage of that to spread the rest of our gospel.
Some really good correlation tools are needed. This
cannot be emphasized enough. I can make good
determinations about Problem-A or Problem-B or Problem-C
by myself, but Innocuous-Events A-D might add up to a
problem that I need to contend with, and I need that
info as soon as possible. Don't try to make it
intelligent (because we are 2-4 years away from that).
Just give me the data in a framework and flexible
tools to let me setup any alerts I want. Forensics
is great, but I need an overview in real-time where
I can get a comprehensive picture about the well-being
of my environment.
There are some security practices that are applicable
to almost every environment. These are generally in
the realm of Firewalls, DMZ, and some host based
security. OTOH, there are issues which are environment
specific. I think that some of big boys in the industry
(ISS, Symantec/Axent, etc) have the right idea about
large environments, but their pricing and strategies
fail to scale down to the smaller environments that are
every bit as needy of good security as your standard
worldwide corporation.
One of the companies that I feel is scaling up rather
nicely is NetworkICE. I've been looking at their IDS
product suite, and I like it so far. Better than
nothing, which is actually saying a lot in this
industry.
What we need a quick solutions to the first round of
problems. Once this happens, and credibility is gained
with Senior Management, we will have more latitude to
protect more things in the environment, as well as a
better understanding of the type of tools we need.
For Host-based vulnerability assessment, my biggest
concerns involve customization and policy management.
I need to have a means of setting a policy on various
groups and users and being able to ascertain whether
or not the policy has been altered. And I want to do
this with as few agents as possible (everyone wants
an agent or three).
What might be nice, for organizations just starting
out, or for places where security is purely an admin
function, to facilitate the creation of good Corporate
Policies by providing templates (similar to the Resume
Writing programs) for proper security procedures and
guidelines.
CONCLUSION
Management education and quick wins. That's all I
seek....
Security involves the whole company, not just IT. It
is a set of methodologies, not just a product suite.
Management must be made to understand that it is the
cost of doing business, like Liability Insurance --
not something that can be successfully thrown into the
mix afterwards.
VENDORS
• http://www.networkice.com/
• http://www.esecurityinc.com/
PERSONAL NOTES
• The NetScreen product suite is rather appealing. They
cover everything from simple Broadband connections to
Gigabit Ethernet Enterprise, all with VPN support. At
the low-end, their firewall appliances are fairly
inexpensive, and outperform many products up to 10
times more expensive.