|
SCJ: What are the main security and auditing challenges an organization faces?
Moreau: The primary challenges facing security and auditing in organizations are the large number and diversity of threats. Not only is the volume increasing, but so is the diversity of that volume, which is core to the problem of being more complex and intense over time. This poses a challenge for both technology and growth within organizations. With such new technologies as process and storage virtualization, come new vulnerabilities, threats and immediate provisions for controlling and protecting those kinds of assets. Exploits are becoming more aggressive, and the ability to respond to them on a technology base is essentially new and evolving.
SCJ: What are the root causes of system non-compliance in the enterprise?
Moreau: The root cause of system non-compliance in the enterprise is configuration shift. That is, you can employ the right discipline and excellent technologies to configure a system the way you want it right now. However, the second it gets into the real world, the potential exists for change coming from such activity as system uploads or crashes. This creates a gap so that when you restore it to the way it was a week or a month ago, all of the intervening patches, configuration settings and protection mechanisms are not in place, leaving a window of vulnerability. A configuration shift in a system is the difference between what you expect to be out there and what’s actually out there. That inhibits the organization’s ability to understand its real vulnerability footprint or to effectively focus on IT response. This can cause an organization to become non-compliant.
SCJ: How is intrusion prevention linked to configuration management?
Moreau: The key issue is that intrusion detection and prevention techniques depend on the ability to understand and recognize threats. The first intrusion prevention systems were signature based, so if you knew the signature of an exploit, you could recognize and block it. The problem is that with the increasing diversity of these exploits, the list of signatures grows very rapidly. In a large scale environment, they must be consistently and effectively deployed in many places before they’re completely in effect. There are many points at which you will need to detect and prevent particular exploits from happening. When that list is constantly changing, it becomes a configuration management problem.
A newer intrusion prevention technique is the Heuristic-based system, where a system looks at the behavior of these exploits and specific patterns rather then just signatures. The problem here is that there are rules to determine what is significant, what is threatening or suspicious behavior and what is not. In a fully functional, completely secure enterprise, any new technologies and change loads on applications could be labeled as suspicious kinds of behaviors. This can generate false alarms, which is problematic since those false alarms can interfere with mission critical activity. When looking at intrusion prevention, you wind up dealing with the configuration management problem of deploying, tracking and updating that technology. Integrating intrusion prevention into the discipline of configuration management is the key to making it effective.
SCJ: What are the most important aspects of security planning?
Moreau: The biggest problem in security is that you can’t patch as fast as the aggressive exploits infect. When looking at security planning, the right answer is not to re-provision, but to provision to the next desired state. Deciding on what that state is, how to deploy it, and how to keep it in place are configuration management problems. That next desired state could mean tightening down the firewall, tightening down the quality of service channel, turning off the vulnerable service, changing the configuration setting and/or finally deploying a patch. The right approach depends on what the system is doing and in what context it lives. To make a decision between those alternatives is critical to security planning. In order to do so, you must gather the comprehensive configuration information of a system.
SCJ: How can an organization protect itself from unknown risks?
Moreau: The key issue is to be comprehensive and constantly assessing the enterprise so that you always have that decision support database that lets you understand what the vulnerability footprint is, and how it supports your ability to make effective remediation planning actions. That requires collecting not just security information but also operational information. If you can see the security information, you can determine if the system is vulnerable or not.
Once you know where the system is vulnerable, you need to understand what the remediation options are. Do I tighten down the firewall? Do I create a quality of service channel that protects that system and insulates it? Do I turn off the vulnerable service or do I actually roll the dice and go ahead and patch it without testing? In all of those circumstances what you should look for is a very tight synergy - a need to understand operationally how these things are coupled, where they fit, and what the right remediation alternatives are, and separately, the planning that it takes to get that done. It is becoming essential that organizations not separate the operational configuration detail from the security relevant and security specific technical controls.
SCJ: What risks can organizations face as they move toward a compliance environment?
Moreau: Although non-compliance includes risks that you’re moving away from, the process of becoming compliant can also carry its own risks. One of the risks is that IT gets viewed as non-responsive, which can cause an inability to support changing business needs. This creates an impetus for alternative mechanisms, non-centralized IT or non-standardized IT deployments of IT technologies, which then become their own threat as non-compliance. Also, the need for control to achieve compliance actually creates an incentive for shadow IT organizations to grow, which represents non-compliance. The need to have a balanced and integrated approach between compliance and operational necessity is critical. We see the convergence of vulnerability management and security incident management, and now to some extent operational organizational planning with respect to IT. This enables security responses to be informed by and protective of business necessity.
Go Back
|
