Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Get Back To Essentials With Health And Avoid Serious Problems

When you were a child you will have been taught that brushing your teeth appropriately and flossing will avoid the requirement for expensive crowns and root canal treatments. Fundamental health is way simpler and far more affordable than overlook and illness. This same lesson applies in the realm of enterprise IT – we can run a sound operation with appropriate endpoint and network health, or we can face increasing security problems and disastrous data breaches as lax hygiene extracts its burdensome toll.

Functional and Security Issues Overlap

Endpoint Detection and Response (EDR) tools like those we develop here at Ziften offer analytic insight into system operation across the business endpoint population. They also offer endpoint-derived network operation insights that substantially broaden on wire visibility alone and extend into cloud and virtual environments. These insights benefit both security and operations teams in considerable ways, given the considerable overlap between operational and security issues:

On the security side, EDR tools provide vital situational awareness for incident response. On the operational side, EDR tools provide important endpoint visibility for operational control. Critical situational awareness demands a baseline comprehension of endpoint population operating norms, which understanding facilitates correct functional control.

Another method to explain these interdependencies is:

You cannot protect what you don’t manage.
You cannot control what you do not measure.
You cannot measure what you don’t track.

Managing, measuring, and tracking has as much to do with the security function as with the functional role, don’t aim to split the baby. Management suggests adherence to policy, that adherence should be measured, and operational measurements make up a time series that should be tracked. A few sporadic measurements of important dynamic time series lacks interpretive context.

Tight security does not make up for lazy management, nor does tight management make up for lazy security. [Read that once more for emphasis.] Objective execution imbalances here result in unsustainable inefficiencies and scale difficulties that undoubtedly lead to major security breaches and operational shortages.

Where The Areas Overlap

Significant overlaps between functional and security concerns consist of:

Configuration hardening and standard images
Group policy
Application control and cloud management
Management of the network including segmentation
Data security and encryption
Management of assets and device restoration
Mobile device management
Log management
Backups and data restoration
Patch and vulnerability management
Identity management
Access management
Staff member continual cyber awareness training

For instance, asset management and device restore as well as backup and data restore are most likely operational team obligations, however they become significant security problems when ransomware sweeps the enterprise, bricking all devices (not simply the normal endpoints, but any network connected devices such as printers, badge readers, security cams, network routers, medical imaging devices, commercial control systems, and so on). What would your business response time be to reflash and refresh all device images from scratch and restore their data? Or is your contingency strategy to quickly pack the opponents’ Bitcoin wallets and hope they have not exfiltrated your data for additional extortion and money making. And why would you offload your data restoration obligation to a criminal syndicate, blindly relying on their perfect data restoration stability – makes definitely no sense. Operational control duty rests with the enterprise, not with the enemies, and may not be shirked – shoulder your responsibility!

For another example, basic image building using finest practices setup hardening is plainly a joint responsibility of operations and security personnel. In contrast to inefficient signature based endpoint protection platforms (EPP), which all big enterprise breach victims have long had in place, configuration hardening works, so bake it in and continually refresh it. Likewise think about the requirements of business personnel whose job function demands opening of unsolicited email attachments, such as resumes, billings, legal notices, or other required files. This must be performed in a cloistered virtual sandbox environment, not on your production endpoints. Security staff will make these decisions, but operations staff will be imaging the endpoints and supporting the workers. These are shared duties.

Example Of Overlap:

Detonate in a safe environment. Don’t utilize production endpoints for opening unsolicited however needed email files, like resumes, billings, legal notifications, etc

Focus Limited Security Resources on the Jobs Just They Can Carry out

Most big enterprises are challenged to efficiently staff all their security roles. Left unaddressed, deficiencies in functional efficiency will stress out security staff so rapidly that security functions will constantly be understaffed. There won’t be enough fingers on your security group to jam in the multiplying holes in the security dike that lax or inattentive endpoint or network or database management develops. And it will be less hard to staff operational roles than to staff security roles with gifted analysts.

Offload routine formulaic activities to operations personnel. Concentrate minimal security resources on the jobs only they can carry out:

Security Operations Center (SOC) staffing
Preventative penetration testing and red teaming
Reactive incident response and forensics
Proactive attack hunting (both insider and external).
Security oversight of overlapping functional roles (guarantees current security frame of mind).
Security policy development and stake holder buy-in.
Security architecture/tools/methodology design, choice, and advancement.

Impose disciplined operations management and focus restricted security resources on important security functions. Then your enterprise might prevent letting operations concerns fester into security problems.