Better Together: Network Operations & Infosec

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/attacks-breaches/better-together-network-operations-and-infosec-/a/d-id/1319898

The recent computer attacks against Anthem and Premera Blue Cross are the
latest case studies that demonstrate the necessary convergence of IT and
security operations. This is something information security professionals
should welcome, even demand. In fact, the network operations team can be an
information security department’s best resource for gaining understanding
and insight into an organization’s security operations, which traditional
security solutions and best practices alone cannot provide.

Understanding what “normal” network activity looks like is critical to
quickly spotting suspicious activities that point to a malicious outsider
or insider, or a mistake by an innocent employee that result in data theft
or loss. However, bridging the gap between the Network Operations Center
(NOC) and Security Operations Center (SOC) is not only a technology
challenge, but also an organizational one. There are three keys to
fostering this collaboration:

- Eliminating the silos that separate both systems and personnel,
- Creating joint emergency response teams comprised of network operations
and information security personnel, and
- Implementing a long-term plan for how to constantly improve processes and
training.

In the typical IT organizational chart, network operations is responsible
for ensuring system performance and information availability, while
information security focuses on protecting those systems and information
stores from threats. Typically, as Rudyard Kipling wrote, “and never the
twain shall meet.” However, the spate of high-profile breaches against
large companies across retail, financial services, and healthcare over the
last year show that must change.

In most of these cases, the companies were not aware they had been breached
until a third party notified them. Although Anthem discovered its breach on
its own after a database administrator noticed a query running with his
account that he didn't initiate, that discovery wasn’t made until after the
attacker had spent six weeks silently stealing information.

For an enterprise, the key takeaway is its critical need to be able to
detect activities on the network that can lead to a data breach. That
capability is diminished by the fact that security operations and network
operations typically work in silos. That means security vulnerabilities
have to be handled twice: first by the SOC, which has evidence of malicious
activity but often no mechanism for actively stopping it, and then again by
the NOC, which needs to wait for specific instructions from the SOC. Any
time delay here creates advantages for an attacker.

Additionally, most technology systems and business applications work in
their own silos and do not communicate with one another. Consequently, IT
cannot streamline and automate information sharing or event correlation
between security vulnerabilities and performance issues. Here are four
steps to overcome this organizational hurdle:

Step 1: To maximize insight, foster teamwork
The first step is to acknowledge the value of the network team in security
operations. Network engineers have visibility and access to forensic data
that simply doesn’t exist in other parts of an organization. Once IT
leadership acknowledges this, the next step is all about putting the tools
and processes in place to integrate network resources into security
processes. It sounds simple, but having a thorough understanding of normal
is a critical factor in preventing potentially harmful activity on your
organization’s network.

Step 2: Packet capture meet SIEM
Security teams should work to leverage the network team’s investments in
packet capture agents, packet analyzers, NetFlow sources and deep packet
inspection performance monitoring. Often these can be tightly integrated
into a Security Incident Event Management (SIEM) system for high-fidelity
visibility, and quick pivots into useful forensic data. It’s also worth
noting how the Premera breach serves a reminder to information security
professionals that joining forces with the network team does not obviate
the need to continue traditional due diligence. Premera had failed to
install the most recent security patches, opening the door to the attackers.

Step 3: Change the culture but hands off also applies
In terms of fostering collaboration, there should be clear roles and
responsibilities across NOC and SOC teams, supported by well-defined
“hand-offs.” Documenting them isn’t enough. You have to use them, analyze
key weaknesses, and continuously improve them. Joint emergency response
teams enable broader insight, increased tribal knowledge, faster artifact
gathering, well-rounded analysis, and ultimately a stronger information
security posture. Identify and appoint a strong leader who can rally the
troops, and mold them into a cohesive team passionate about continuous
improvement – not just compliance.

Step 4: Don’t accept the status quo
With a strong base to build upon, an organization should turn its focus to
accelerating and improving its capabilities. Never be satisfied with the
status quo. To optimize operations, leverage techniques from traditional
continuous improvement strategies such as Theory of Constraints, Lean, or
lessons learned from the DevOps movement.  Invest in training and skill
development so your people are effective and empowered, break work down
into smaller chunks so it flows smoother, automate to gain operational
efficiencies, and measure risk, performance and quality of operations.

Threats are getting increasingly harder to discover, and attackers are more
brazen than ever. Getting network operations and information security teams
together in the same room for the first time will be a critical step for
organizations that want to build a continuous information security
improvement culture capable of defending against those threats.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!