High-profile breaches throw a wrench into security policy management

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://searchnetworking.techtarget.com/news/2240219453/High-profile-breaches-throw-a-wrench-into-security-policy-management

Highly publicized security threats and breaches have been grabbing the
spotlight recently, forcing many enterprises to make hasty changes to their
infrastructure or revisit their security policy management processes. But
hurried changes -- and not enough emphasis on the daily, fundamental
elements of network security -- can spark a chain reaction of larger
security problems down the road and unexpected network outages.

Enterprise network security teams are so focused on quickly responding to
high-profile security threats -- such as the Heartbleed vulnerability and
the Edward Snowden-NSA revelations -- they often fail to enforce change
management policies for infrastructure and security appliances. These
change management failures are leading to a rise in application and network
outages -- up from 55% of noted outages in 2012, to 73% in 2013, and up 82%
in 2014 so far, according to a recent survey of enterprise security and
network operations professionals from security policy management vendor
AlgoSec.

Many enterprises prevent or recover from a security breach by making
unplanned, undocumented and potentially hard-to-support changes to a border
device in order to block a new threat. But if there aren't good change
management features built into routers or firewalls, that change can have
unexpected ramifications, said network engineer and bloggerNick Buraglio.

"These changes are often made without thinking them all the way through and
that can bite you later," he said. "The smallest configuration flaw is
still a flaw."

Overlooking security policy management process fundamentals? Watch out for
outages

Knee-jerk reactions to high-profile security breaches are all too common
within enterprises, Buraglio said. While enterprises focus on breaches like
Heartbleed, ignoring the rest of the everyday defense strategy is a recipe
for even bigger issues down the road.

"You have to pay attention to the tank pointed at your front door, but you
also have to be aware that there are probably termites in your house, too.
Taking care of the little security items always seem to get pushed to the
back burner,"Buraglio said.

"There's always going to be something larger that security professionals
could be working on. But in reality, if they just focused on the
fundamentals -- like keeping patches up to date -- they'd be so much
further along," said John Pironti, president of Rowley, Mass.-based
consultancy IP Architects LLC.

Change management, a fundamental part of the security process, should be
given more attention and time. "The problem is that the board or the CIO
will read about a breach in the Wall Street Journal and then go ask IT what
they are doing to prevent something like this," said Nimmy Reichenberg,
vice president of marketing and strategy for AlgoSec. "A focus more on the
fundamentals might not sound like as good a response as 'look at the new
anti-threat gadget we just bought,'" he said.

But as networks evolve and cloud services become a part of the enterprise
environment, fundamental tasks like configuration and management are
becoming difficult, resulting in a more complex security threat landscape.
In 2013, 57% of organizations suffered a data center application outage due
to a security misconfiguration, according to the survey. "It's becoming
even more difficult for IT to just keep the lights on," Reichenberg said.

Rethinking security policy management: Tools and best practices

Change management tools and automation software can help eliminate manual
error, but businesses often skimp on these tools, Buraglio said. "It's
frightening how [often] change management is not in place -- so many
enterprises are not keeping track of their flow or log data," he said.

These tools can help enterprises understand the surface area that needs to
be protected and highlights where changes may not have been properly put
into place, IP Architects' Pironti said.

While change management and configuration tools can help, it will be more
important to update best practices to match the needs of the evolving
network and then follow these practices closely. "Change management has to
be more of a routine than a product. Even the best tool is not going to fix
a broken process," Pironti said.

At the same time, many change management routines are antiquated, and
change can actually take too long for some enterprises, said John
Kindervag, principal analyst with Cambridge, Mass.-based Forrester
Research. "The concepts around change management were originally designed
to ensure maximum uptime of systems, but these enterprises have to stop
deprioritizing security changes in the name of efficiency and
availability," he said. "We need automation, but in a way that allows
[businesses] to be responsive and deal with threats and problems."

"Enterprises have to spend some time rethinking how they handle security at
that fundamental level, and that's going to be hard for many to do because
the landscape is changing so quickly," Kindervag said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!