A lack of network visibility and information sharing continues to hinder organisational efforts to unify security specialists and IT operations teams in a 'SecOps' mode of organisational functioning, a cloud-computing specialist has warned.
Even where security vulnerabilities are detected and teams develop plans to remediate them, delays in actualising those plans through the operational teams can create a window of opportunity for outside attacks that lasts, by one assessment, an average of 256 days before an attack is detected.
Reducing this timeframe is essential for good security governance but most companies still suffer from an operational disconnect, BMC cloud computing specialist David Carless told CSO Australia as the service-monitoring giant launched its BladeLogic Threat Director in an effort to bridge the gap.
“It can take an awful lot of time to get an authorisation to apply a patch, or to change configuration,” Carless explained, noting that these processes were often drawn out by a lack of visibility into the operational network and that this, in turn, often made it hard to meet internal SLAs around fault remediation.
One customer had, for example, set an internal SLA that demanded patches be ready for deployment within 8 hours of a vulnerability being discovered. But “that's just impossible to do if you're trying to do it manually,” Carless said.
“Imagine an operations team being handed a spreadsheet with 1000 IP addresses and a list of a couple of thousand vulnerabilities that have been identified. Trying to prioritise – let alone perform – that is a massive task. So we've connected the two teams, providing the security team with the actual data and providing a methodology and a toolset to help them respond.”
Designed to function in real time, that connection sets up a new vocabulary for information exchange and operational dynamics that is intended to help empower the creation of a SecOps culture – which is particularly crucial for organisations seeking to introduce a common monitoring environment across both on-premises and cloud-based infrastructure.
Maintenance of an ongoing patch registry ensures that the patch status of every device on the network can be continuously monitored, with out-of-date equipment targeted for upgrades and compliance audits much easier to execute when necessary.
“We really provide an environment that is audit ready all the time,” Carless said. “Within seconds, we can provide the current patch level for any device. This gives the security teams a real-time view of the vulnerabilities at any given time.”
This type of visibility is important in any organisation but particularly relevant for managed service providers (MSPs) that are becoming increasingly important as organisations look to outsourcing and cloud strategies to offload many of their operational processes. And, despite the change in business strategy, many organisations fail to keep up with these changes from a SecOps point of view.
“Companies often don’t monitor their partners’ or contractors’ access privileges and security processes as well as they do within their own boundaries,” said Ewen Ferguson, managing director of consulting form Protiviti. “Add to that, the fact that outsiders often bring their own hardware and software which may be ‘contaminated’ through use on other non-secure networks - and you have a clear security exposure.”
Managing this exposure, Ferguson recommends, requires a “robust third party risk management” with contracts that elucidate risk-management expectations around visibility of service providers' operations and reporting obligations in the event of a breach.
This includes managing a central inventory of third-party providers; renegotiating contract terms to boost security safeguards; conducting proactive risk assessments; and putting in place the processes and tools to know what data third parties are accessing and how they are storing it.
Read more: CAPTCHA, policies secure Catholic Education SA's VDI-driven cloud transition
The construction of a robust monitoring infrastructure will go a long towards enabling these and other protections by filling out gaps in security and operational governance procedures.
“We have a great window of opportunity to bridge this gap,” Carless said. “Whether in privately owned data centres, virtual cloud services or wherever – it doesn't matter where the devices are. We can still manage them and provide this functionality. This is providing a great opportunity for clients to close this gap.”
Take this 5 minute survey on The State of Cloud Storage & Collaboration 2016 and go in the draw to win a $500 Visa credit card.