Disclaimer: These ramblings are the authors and his alone, and are in no way attribatible to the authors employer, management or friends.
Often times, we beleive directives handed down from management should be modified to meet the goals we believe are the desired end. Whether it is through the use of differing tools than those suggested or an alternative procedure which would reduce time and improve efficiency, it is often difficult to convey this information successfully back up the management chain. When this happens, resistance and animosity can run rampant.
Management invariably gives us just the information thy beleive we need to know and this may leave us in the dark as to the true goals of a task.
Example 1:
Management directive for analyst eyes on glass for event monitoring with a requirement to process a certain number of events per day.
Upside: Management needs metrics to show upper management that security is working.
Downside: in an effort to produce metrics, and indeed increase events processed we may focus on volume over quality. An event showing ssh access from another country may be logged and initial log review may show nothing suspicious, so it is filed and the analyst moves to he next event. When further investigation for a day or two may show a pattern and indicate possible progress by an attacker which could warrant defensive action.
Example 2: External influences reducing the effectiveness of the Security Team.
Other teams who are directed to resolve the findings from security team tests, may seek to limit the effectiveness of the tests by influencing the decision on the tools to be used. This can be done at upper management levels which are not visible to the security team, and may result in a task to scan certain systems with a less effective tool than others which are available, or timing parameters which limit the granularity of the testing.
Other vectors for issues are purchasing decisions where the security capabilities of tools are not given sufficient weight.
So, what options are open to security teams to guide and assist their management in producing what we beleive are optimal data most efficiently and effectively.
1. Communication is the primary tool to ensuring smooth running and optimal success.
- regular meetings, say weekly, can foster success providing they are run effectively.
Meeting must be open with all team members and the team management being in attendance. Team members must be able to speak freely and openly about their thoughts on topics. Each team member should be allowed equal time and weight for their input, which can be difficult as here are often big talkers who can monopolies the discussion. It is managements task to ensure equal access during discussions.
Meeting agenda should also be available at least 2 Amy's in advance so team members can be suitable prepared.
2. Information dissemination from management needs to include all relevant data. This is difficult for management as they often seek to limit information so the discussions reach their preconceived desired result. Sometimes confidentiality issues prevent information dissemination also. Management may also b swayed by input from other departments.
3. The information Security Team needs to present a united front externally.
Decide on the optimal combination of tools, procedures and policies, and don't try to change tools every year or two. Because you want to have the optimal toolset, the decision on the tools needs to be a team one, and not a management directive. Take feedback from the analysts and engineers who ha used all the tools and give then the necessary weight and credence. An engineers opinion of a tool he does not use day I and out, should have very little weight when compared to an analysts advice who uses the tool every hour of every day.
Information security is not easy and at times it may seem the biggest obstacles to success are forces inside the enterprise. Yet we must use all the tools in our arsenal to improve security and prove tht security is a valuable department or the Enterprise.
That's all or now.
S. Russell Dyer BS CNE ISSP CRISC Security+ CICP
Remember the Disclaimer!
No comments:
Post a Comment