Excerpted from a three-part series of articles.
Security is expensive.
Let's correct that. Information Technology is expensive. Security is not a separate part of our IT infrastructure that is thrown on after the fact. Rather, it should be an integral part of any functioning system, and its cost will depend greatly on how it is implemented.
The process of creating and implementing a security policy can seem difficult, especially for a mid-size business. However, with some basic planning and a few preliminary steps, you can simplify the process and significantly lower the cost.
Step 1: Don’t Start With a Blank Canvas
To develop an effective security policy, we first need to define a clear goal and break it down into measurable tasks that we can prioritize. This will enable us to distribute the cost over time while putting measures in place to mitigate the most serious threats.
Next, ask a series of questions will help establish your baseline:
What compliance requirements do I need to consider? There are optional steps in security, and there are required processes. Compliance requirements will help you decide which is which.
What is our current IT inventory? If we do not have a clear picture of what we are securing, we could miss some important steps. The more detailed the inventory, the better we will be able to use it in our planning. This part is important to every step that follows.
What goals does management have for this project? Does management want a specific downtime maximum? Does this process affect company plans to apply for certifications? Is the company looking to enter a new market, or merge with another company/division? These will affect your plans so it is best to know about them from the start.
What is the projected budget, and what is the cost and availability of labor? It is important to remember that time really is money. Some solutions may cost considerably less than others, but require much more interaction.
Are there any priorities specific to your company or industry? This step may be policy or preference only, but there is likely one area that you want to focus on first.
I should stress here that you might want to hire a qualified consultant to review your plan and suggest changes to ensure you do not miss anything, especially if you are legally bound to meet a certain standard.
Step 2: Divide and Conquer
Managing local area networks is much easier if they are broken into smaller subnets that are logically defined. Defensive network segregation serves two valuable security purposes: it creates natural boundaries to simplify access control and monitoring; and, it limits the scope of an incident, which can help minimize the effects of a breach. It can also help mitigate management and congestion issues, without any significant effects on usability.
There are a few side notes here that are worth mentioning that can go a long way toward helping secure the network while saving costs:
- Maintain good network switching security best practices: Disabling unused ports, adding MAC security features, and implementing some sort of routing loop mitigation will help simplify management and security
- Move any guest access, including employee devices such as phones and tablets, to a separate guest LAN: These devices are often exposed to public wi-fi, random package installs, and prying hands. Do you really want these on your secure network?
- Minimize the use of DHCP for static resources, or implement static leases whenever possible: Many security processes rely on tracking a baseline for devices. This gets much easier for device logs and network traffic when your addresses do not change over time.
- Move printers, appliances, and consumer devices to severely restricted LANs, preferably with all outbound access blocked: The best way to mitigate risk from unmanaged appliance-type devices is to remove their network access, blocking all outbound traffic to other subnets by ACL.
Remove the Patchwork from Patch Management
A striking number of network intrusions and exploits leverage a vulnerability for which there is an existing patch, even though patch management is a core part of the product lifecycle. It is important to use a proactive management strategy as opposed to a reactive method, as this is one of the most important steps to maintaining a stable and secure environment. It is also among the most cost-effective steps that can be taken to secure the network.
Step 3: Paint with Better Brushes (Educate Yourself to Make Educated Decisions)
Now that we have covered some of the core issues, it is time to flush out the details by reading, reading and more reading. Information is your friend here. No technology, product, solution, or approach can replace an informed professional with security knowledge. The more you understand about the threats to your network, the better you can not only manage the threats but also select the tools with which to do so. It is CRITICAL that you do not underestimate the importance of this step.
Introductions - Getting started is always the hardest part. I strongly recommend going to an unbiased source for your start. Here are three interesting starting resources:
- SANS Institute, and the Internet Storm Center
- The US Computer Emergency Readiness Team
- University Press Centers - Various university sites offer a TON of theory and information about leading issues.
Blogs - Most security vendors on the market maintain blogs, white papers, and technical overviews and alerts, which are great places to look for fact-checked data on trends and threats. AlienVault has an excellent example of this service, and you can click here to subscribe to the blog.
Social Media - Like blogs, most of the security companies are pushing information on social to keep you informed. Subscribe to blogs, Twitter, LinkedIn or other social feeds to get a constant stream of information about security.
Books - If you want theory, there are entire libraries written on subjects related to security. I recommend, however, waiting until you have some basic knowledge before you spend too much on books. If you wait until to have a better base of knowledge, you’ll be able to select titles that cover the specific material you want better.
One of the most costly problems with security is with regard to log management. IT staff including admins, analysts, engineers, and technicians are always short on time. Since a considerable portion of management risk involves managing and reviewing log data, we can save a considerable amount of time if we move these logs to a central location and normalize them for easier analysis. We also need to gather network data to monitor bandwidth and traffic for suspicious changes. A Security Information and Event Management (SIEM) tool will handle much of this, normalizing and processing a wide section of your security logs and data, and correlating this data with events to identify advanced threats.
However, a full-featured security solution (like AlienVault’s Unified Security Management (USM)) will do more than this, also handling Asset Discovery, Availability Monitoring, Log Normalization, HIDS, Network IDS/Traffic analysis, and Vulnerability Scans. It should also simultaneously run real-time event correlation against data from multiple sources to identify threats. When you consider the time and resources required to manually correlate all of this data, and the difficulty of juggling information from multiple tools, you may be surprised by how easily and cost-effectively an integrated system like USM can be deployed.
A Policy of Processes
We now have a complete picture of what to do, so it's time to start the implementation! This is both the easiest, and the hardest part. As you enact your plan, you need to make sure that the steps become an integral part of the IT lifecycle process. Making it part of the process now will progressively ease the workload in the future, as IT teams start to integrate the new security methods into the general workflow.
Always keep in mind that security is not a destination, but a process. It is necessary to continually review what you have done and adjust as systems develop, and as new methods of infiltration emerge and are discovered.