When it comes to investing in and implementing security solutions, where do you draw the line? When do you decide that enough is enough? Imagine if TSA treated everyone with a boarding pass as if they were a terrorist. Actually, if you’ve ever seen them patting down grandma in a wheelchair then you know that that’s not too far from reality. But there are limits. If every traveler was subjected to a luggage search and a pat down or full-body scan, the system would seize up. Travelers would rebel and commercial aviation would come to a screeching halt. Billions of dollars would be lost.
The same goes for IT security. If you took every threat as seriously as the next and applied the same amount of energy to investigate each blip on your proverbial radar screen, nothing would get done. At the other end of the spectrum, what happens if you lay down so much security that your users can’t do their jobs? They become frustrated and your top line is dramatically affected. It’s the great security quandary of our times: What is just the right amount of security? How do you know when, where and how much security to deploy—security that gets the job done without impeding everyone’s productivity, including your own?
It’s a Balance Thing
According to Chinese philosophy, there is a phenomenon called yin yang in which, according to Wikipedia, “polar or seemingly contrary forces are interconnected and interdependent in the natural world, and give rise to each other in turn.” In other words, perfect harmony and balance are achieved.
For IT security managers, think of security as yin and productivity as yang. However, unlike other dual natural phenomena such as darkness and light, male and female, cold and hot, or beer and pretzels for that matter, security and productivity must both be constantly monitored, cultivated and maintained. Every hour of the day, a fine balance must be struck between getting work done and maintaining adequate protection. You don’t want your staff chasing threats of no real consequence or those for which you’re already protected when they could be defending against something potentially devastating.
You also don’t want so many layers of security that your users can’t access the systems and networks essential to getting their jobs done. And you can do without an army of end users coming unglued because security is slowing down their ability to work.
Balance requires a risk management strategy and deployed solutions that provide the visibility that allows you to keep the enterprise as safe as possible while keeping everybody happy. Basically, it comes down to this: How do you provide “just enough” protection when and where needed?
Visibility Is Key
If you’re in IT security then no doubt you’re familiar with “Patch Tuesday.” It’s the bane of the security practitioner’s existence when Microsoft rolls patches out that need to be cross-checked and correlated. As quickly and accurately as possible, security pros are then supposed to develop a quantitative measurement of risk to the enterprise based on current threats and exposure to them. And act accordingly. Wash, rinse, repeat—not the best way to go.
On Patch Tuesday or any time a vendor decides to roll out a patch, especially critical out-of-band patches, you can’t afford to wing it. You need to have the right tools at your fingertips. Those tools must provide panoramic, 360-degree visibility into your complete risk posture that presents correlated data in such a way that users can quickly pinpoint where to focus their security efforts. The visibility they provide should contain the following elements:
Up-to-the-minute threat data – Knowing what’s going on in the wild is key. If a new piece of malware is starting to make the rounds, you need to know this before it can wreak havoc on your systems and network. Look for a vendor that has a global threat research capability and uses contemporary methods to collect, analyze and document threats. This intelligence should cover all key threat vectors (i.e., file, web, email, and network).
Vulnerability Data – Know where you’re vulnerable. Without knowing which critical systems are susceptible to attacks, you have no choice but to deploy a “spray-and-pray” approach to security. There are several vendors that provide robust products for conducting vulnerability assessments. Regular vulnerability assessments are also requirements of regulatory mandates such as PCI, so it’s a good practice to have them in place. With a clear view of where you’re vulnerable—especially when it includes asset criticality—you are in a good position to start honing your security resources. Knowing this will provide the basis for a risk-based approach to making critical IT decisions and help eliminate panic associated with Patch Tuesday and out-of-band patches.
Countermeasure Data – To ensure you’re focusing on the systems that need security most, you need to know which countermeasures are already in place to protect against threats. If a critical system has the appropriate countermeasure in place, you can defer patching it until your next regulary scheduled patch cycle. This is also useful for helping to best direct your security spend and resources along with demonstrating an ROI to management on the security products you’ve already deployed.
All told, this level of visibility enables you to ignore distractions and take the appropriate action. Visibility into the intersection of these data can give you the “just enough” solution you’re seeking. Your systems will have the best possible protection and your users will be productive.
Restoring the Natural Order of Things
There’s no such thing as a 100 percent failsafe security environment, nor is there a one- size-fits-all methodology to ensure maximum productivity of your users. There will always be the rare exploit of a vulnerability or the threat that turns into a successful attack on somebody’s watch. However, you can dramatically reduce the odds that that somebody will be you. How? Again, it all comes down to gaining the visibility you need to deploy and maintain just the right amount of security within the context of an agile, productive enterprise. Permit me to borrow from Chinese philosophy one more time—in this case from the works of Chuang Tzu, who stated that yin in its highest form is freezing while yang in its highest form is boiling. The interaction of these two establishes harmony.
In business, you don’t want the highest form of either security or productivity. You want appropriate levels of both that promote harmony. In other words, a combination that delivers balance—one that provides protection and peace of mind.