3
FEATURE October 2014 Network Security 5 Security metrics to manage change Significant challenge As employees move about an organisation and change roles, the firewall rules that grant access should change as well. As any IT manager will testify, on a regular basis they are called to rectify a problem where employees don’t have access to systems that they should. But what happens when an employee leaves? It’s not a stretch of the imagination to realise that firewall access rules that were in place for that particular employee and their workgroup are likely not closed off. For small organi- sations this isn’t such a problem, but when you’re working in an organisation with thousands of people, staying on top of this can become a significant challenge. “There is overwhelming agreement that metrics are critical to achieving an effective security change management process. Further, real-time analysis is important to understanding new and emerging security risks” Overly permissive firewall rules are easy entry points for cyber-attackers and easily lead to data breaches, as do rules that are still in place but are no longer necessary. At the heart of this problem however, is that it can be almost impos- sible to keep track of and understand the impact all these changes have on the security of a network. In April 2014, FireMon conducted research, through the Ponemon Institute, of 597 individuals who work in IT, IT security, compliance, risk management and other related fields, to understand how organisations respond to changes in the security risk landscape and how metrics can help drive more effective and informed decisions. 1 “Over half (51%) of IT managers admitted to filtering out negative facts about security before talking with senior executives” The conclusion was that the benefits of more effective change management metrics can lead to greater reliability, resiliency and efficiencies in security defences. According to the findings, there is overwhelming agreement that metrics are critical to achieving an effective secu- rity change management process. Further, real-time analysis is important to under- standing new and emerging security risks. However, such metrics and analysis are lacking in most organisations. Lack of communication What may affect the availability of resources necessary to build a strong security posture is the lack of communi- cation between the C-suite and those in IT security. According to the findings, rarely does the IT security practitioner regularly meet with leadership about security issues. As a result, many senior executives do not have an accurate or complete picture of how successful (or unsuccessful) the IT security function is in protecting the organisations and its data. In fact, security practitioners say the CEO and board have far more confidence in the security posture of the Jody Brazil, FireMon Enterprise security is constantly evolving. The larger the enterprise, the more changes there are to its network. New hires come in, employees are promoted, leave or are reassigned to new roles. It’s the natural order of business and hap- pens in any progressive organisation. What all this change does, however, is create self-inflicted security risks that can be prevented. IT industry analyst Gartner has projected that, “through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws”. Figure 1: Responses to the question, ‘how strong is your organisation’s security posture?’, where 1=weak and 10=strong. Source: FireMon/Ponemon Institute. Jody Brazil

Security metrics to manage change

  • Upload
    jody

  • View
    213

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Security metrics to manage change

FEATURE

October 2014 Network Security5

Security metrics to manage change

Significant challengeAs employees move about an organisation and change roles, the firewall rules that grant access should change as well. As any IT manager will testify, on a regular basis they are called to rectify a problem where employees don’t have access to systems that they should. But what happens when an employee leaves? It’s not a stretch of the imagination to realise that firewall access rules that were in place for that particular employee and their workgroup are likely not closed off. For small organi-sations this isn’t such a problem, but when you’re working in an organisation with thousands of people, staying on top of this can become a significant challenge.

“There is overwhelming agreement that metrics are critical to achieving an effective security change management process. Further, real-time analysis is important to understanding new and emerging security risks”

Overly permissive firewall rules are easy entry points for cyber-attackers and easily lead to data breaches, as do rules that are still in place but are no longer necessary. At the heart of this problem however, is that it can be almost impos-sible to keep track of and understand the impact all these changes have on the security of a network.

In April 2014, FireMon conducted research, through the Ponemon Institute, of 597 individuals who work in IT, IT security, compliance, risk management and other related fields, to understand how organisations respond to changes in the security risk landscape and how metrics can help drive more effective and informed decisions.1

“Over half (51%) of IT managers admitted to filtering out negative facts about security before talking with senior executives”

The conclusion was that the benefits of more effective change management metrics can lead to greater reliability, resiliency and efficiencies in security

defences. According to the findings, there is overwhelming agreement that metrics are critical to achieving an effective secu-rity change management process. Further, real-time analysis is important to under-standing new and emerging security risks. However, such metrics and analysis are lacking in most organisations.

Lack of communicationWhat may affect the availability of resources necessary to build a strong security posture is the lack of communi-cation between the C-suite and those in IT security. According to the findings, rarely does the IT security practitioner regularly meet with leadership about security issues. As a result, many senior executives do not have an accurate or complete picture of how successful (or unsuccessful) the IT security function is in protecting the organisations and its data. In fact, security practitioners say the CEO and board have far more confidence in the security posture of the

Jody Brazil, FireMon

Enterprise security is constantly evolving. The larger the enterprise, the more changes there are to its network. New hires come in, employees are promoted, leave or are reassigned to new roles. It’s the natural order of business and hap-pens in any progressive organisation. What all this change does, however, is create self-inflicted security risks that can be prevented. IT industry analyst Gartner has projected that, “through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws”.

Figure 1: Responses to the question, ‘how strong is your organisation’s security posture?’, where 1=weak and 10=strong. Source: FireMon/Ponemon Institute.

Jody Brazil

Page 2: Security metrics to manage change

FEATURE

6Network Security October 2014

organisation than they – the security professionals – have.

Perception gap This posture perception gap puts organisations at risk. Only 13% of IT managers would rate the security posture of their organisations as very strong. Whereas, 33% say their CEO and board believe the organisation has a very strong security posture. Such a gap reveals the problems the security function faces in accurately communi-cating the true state of security. Upon further investigation, the apparent cause of this perception gap is the fact that over half (51%) of IT managers admitted to filtering out negative facts about security before talking with sen-ior executives.

“Many IT managers recognise that the technical nature of the information being conveyed could be frustrating to senior executives”

On top of this, some 71% of respond-ents say that communication with the board occurs at too low a level, or only after a security incident has already occurred. This perception gap signals that security practitioners are not given the opportunity or cannot communicate

effectively the true state of security in the organisation. As a result it is much harder to convince senior management of the need to invest in the right people, processes and technologies to detect and manage security threats.

When asked why communication can’t be better, the existence of silos that keep information from being communicated throughout the organisation is identified as a root cause. Having said that, many IT managers recognise that the technical nature of the information being con-veyed could be frustrating to senior exec-utives, which can mean that the whole story is not revealed due to negative facts being filtered out.

Implications of the disconnectAccording to Ponemon, an important capability like the agility to manage the impact of changes on IT security operations are affected by not being able to convince management of the need for enough resources, budget and technologies. When asked to rate their organisation’s overall agility in manag-ing the impact of change on IT security operations, respondents say it is fairly low – only 16% say that their organisa-tions have a very high level of agility, with a quarter admitting that managing changes is very low. This is also the case

in managing the impact of changes to IT security operations.

This lack of agility to manage change comes from the lack of technologies and processes available to the IT security team, with 43% of IT managers advising that current metrics in use within their organisations do not communicate the true state of security efforts. The biggest reasons for the failure to accurately meas-ure the state of security are more pressing issues taking precedence, communication with management only occurring when there is an actual incident, the informa-tion is too technical to be understood by the non-technical management teams, as well as a lack of resources to develop or refine the metrics.

“Some 71% of respondents say that communication with the board occurs at too low a level, or only after a security incident has occurred”

The research also looked at how IT managers rated their organisation’s ability to address seven specific factors that may impact their security posture. Figure 3 lists those capabilities and whether respondents rated the ability to accomplish them as high, moderate or low. The findings reveal that most IT managers say their organisations are best at managing security threats, hiring and retaining competent security staff and employees, and discovering and containing compromises and breaches quickly. They are not as effective at achieving compliance with leading security standards and frameworks and minimising third-party security risks.

The third-party riskManaging the risk of allowing third par-ties access to a network was highlighted very recently. In the Target data breach, the retailer chose to allow a third party access to its network, but failed to prop-erly secure that access – an attack vector that was wholly preventable.

Even if the retailer had a valid reason for giving the access, it should have seg-mented its network to ensure that the third party had no access to any other

Figure 2: When do IT security practitioners meet with senior executives? Source: FireMon/Ponemon Institute.

Page 3: Security metrics to manage change

FEATURE

October 2014 Network Security7

systems, including payment servers. This is a fine example of IT security teams not understanding the impact of the rule sets in place to allow the access in the first place, due to not having the insight into how the traffic flows through its network.

Several mature processes and practices currently exist for securing third party access to enterprise networks, which companies like Target are required to follow, such as the PCI DSS require-ment to segment a network to protect sensitive cardholder data. It was Target’s responsibility to ensure that those prac-tices were followed, but the fact that the attackers were able to leverage third-party access to reach Target’s payment systems suggest those practices were improperly implemented.

“By not communicating effectively with board members, and by omitting negative facts, security teams are putting themselves on the back foot when it comes to protecting their organisation”

No matter how the Target data breach campaign was launched by cyber-criminals, what is clear from this attack is that Target’s security con-trols, which should have prevented the installed malware from propagating across the Point of Sale (POS) net-work were not functioning effectively. Without question, an organisation of this size would have many differ-ent types of network defences such as firewalls, Intrusion Detection Systems (IDSs), and Data Loss Prevention (DLP) systems, all of which were unable to prevent the data breach from happening.

Bad communicationAs is often the case, research into the attitudes of IT teams and how they see their organisation is fine in principle, but it is rare to see these opinions in real world situations. It is evident from the Target data breach that there was a failure on many levels to adequately

secure the network to prevent such a wide-ranging attack, as well as a failure to communicate on the real state of the security within the organisation.

“Metrics need to clearly convey the organisation’s security posture, provide guidance on how to manage the change to the security function due to the introduction of disruptive technologies, and be supportive of the organisation”

The Ponemon research is evidence that the IT security function needs to improve its communication with senior executives. It highlights that IT manag-ers believe senior executives have a far more optimistic view of the state of security in their organisations than the specialists have. In order to improve upon this, metrics need to clearly con-vey the organisation’s security posture, provide guidance on how to manage the change to the security function due to the introduction of disruptive technolo-gies, and be supportive of the organisa-tion’s goals and mission.

Ultimately, IT security teams can only be effective at their job when senior executives understand the

importance of security and know the full picture. By not communicating effectively with board members, and by omitting negative facts, security teams are putting themselves on the back foot when it comes to protecting their organisation.

About the authorAs founder and CEO of FireMon, Jody Brazil is a seasoned entrepreneur with more than two decades’ worth of execu-tive management experience and deep domain expertise in all aspects of net-working, including network security design, network security assessment, and security product implementation. Before joining FireMon in 2004, Brazil spent eight years at FishNet Security, serving as CTO, where he was responsible for providing direction for solutions to their customers.

Reference1. ‘More than half of organisations

filter out negative facts before com-municating security risk to C-level executives’. FireMon press release, 15 Apr 2014. Accessed Oct 2014. www.firemon.com/about-us/news/press-release_organisations_filter_negative_facts_before_communicating_secu-rity_risk.

Figure 3: The strengths and weaknesses of IT security. Source: FireMon/Ponemon Institute.