Endpoint Security

MAP BUSINESS AND TECHNOLOGY PATHS
This might sound like a no-brainer, but it's a bit more complicated when you dig into it. We've learned to think of technology as complex mechanisms and sophisticated software. However, if you talk to an archeologist, the stone axe is also an example of technology. Ancient technology, yes, but technology nonetheless.

I think this opinion of what "technology" is, is the reason that we ignore a major type of technology that glues our present solutions together: people. When an organization engages in process reengineering, the first thing that they do is look at the relationship of people and how efficiently they exchange information in the quest to accomplish their mission. They ask how well they use the tools that have been afforded them and how many workarounds are in place to "fix" poorly engineered processes. All too often, we're given new technology, but instead of reexamining how we can put this new technology to good use, we just use it to take the place of an older process without understanding how it can make the overall process better.

Endpoint Security Author: Mark S. Kadrich 348 pages; $54.99 Addison-Wesley

We do this with our security technology by trying to make it completely transparent. We overlay it on top of our existing processes in the hope that we can get some level of increased protection without disturbing the user community. The problem with that is that it obscures the human element of the security problem to both the practitioners and the users.

To counter this, we must examine our business processes with respect to security so that we can understand where the human paths are with respect to the technology paths. We must also be willing to push for change where needed. Our technology paths, both human and technological, need to be understood if we're going to create a closed-loop process.

We need to be able to identify them and measure them to understand how much of an impact any delay is going to have on our security process. For example, your organization might have an automated patch management system that pushes patches and updates out to thousands of endpoints in a few minutes. Because of this technology, you can stand up in front of the board of directors and tell them that your solution pushes updates to vulnerabilities in minutes! The problem is that in many organizations there's a manual process of evaluating the patch, called regression testing, that can take as long as three months!

For more information Is there a way to integrate business continuity planning and operational risk management? Security expert Mike Rothman explains. Performing a risk assessment is only half the battle. Senior News Writer Bill Brenner explains the importance of communicating security problems to management.  Download the rest of Chapter 3: Something is Missing (.pdf).

I'm not saying that you should eliminate regression testing. What I am saying is that for a process control solution to work, you must embrace the idea that you do have human feedback paths that can dramatically degrade your ability to respond to an attack. Regression testing is a business process that has a huge effect on security. Another example of business and security intersecting is during the incident response cycle. Many people think of incident response as responding to an intrusion detection system (IDS) alert. What if I call the help desk and claim that I'm the CFO and I want my password changed? This is clearly an indicator that my network may be under attack and that something should be done, but how long will it take for this information to move through the business process of the help desk?

This means that we, as security people, need to understand our company's business processes and instead of saying "no," we need to find ways to say "yes" that encourage the business plan to grow and adapt to the changing business objectives. When new technologies appear, we need to understand how those technologies will impact our security and our ability to compete effectively in the marketplace. How many organizations, because the security group is afraid of it, haven't deployed wireless technology regardless of its demonstrated ability to simplify deployment and reduce associated costs?

Who do you think is going to win in the marketplace when the market gets tough and margins get small? The organization afraid to use technology because their security process can't handle it, or the agile group that understands, security and business processes can work together?

CAN WE BUILD A BETTER MODEL?
I believe the answer to this question is a resounding yes. I think that most of what we need is already here; we just need to connect it a little better than we have in the past.

Listen to author Mark S. Kadrich Securing an endpoint is easy -- keeping it secure is the real challenge. Hear author Mark S. Kadrich, as he reads a selection from Endpoint Security.

The answer lies in identifying how we allow risk to be introduced into our networks and setting a low limit that prevents endpoints that don't meet our criteria from joining. That instantly begs the question of how to define risk. Well, I think that's the wrong question to ask. I think we need to ask this: What is an acceptable risk? When I go car shopping, I know what I don't want. I don't want a car that's so old that it doesn't have air bags and antilock brakes. I don't want a car that has broken windows and bald tires. I don't want a car that has a torn-up interior or rusty fenders.

I know that I can have a mechanic go over the car with a fine-tooth comb, but that won't eliminate the possibility of a flat tire or an exploding engine later on. I've reduced my risk by examining the car prior to buying it, but I still run the risk that something could happen later.

What I have done by taking the effort to examine the car is begin the process of engendering trust. By setting a minimum level of capability, I have enabled myself to trust the system—in this case,my car—to behave in a manner acceptable to me. I believe that this is also possible on our networks. By setting a minimum level of capability, we can set a minimum level of trust in the systems that join our network.

Learn more about the old way of thinking that has controlled network designs and management techniques for too long. Download the rest of Chapter 3: Something is Missing (.pdf)

Note: Printed with permission from Addison-Wesley. "Endpoint Security" by Mark S. Kadrich. Copyright 2007. For more information about this title and other similar books, please visit www.awprofessional.com.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Endpoint Security Hidden endpoints: Mitigating the threat of non-traditional network devices Symantec launches Endpoint Management Suite Symantec to offer Endpoint Management Suite Sophos finds patching issues through endpoint NAC tool Websense, Reconnex top Forrester ranking of DLP vendors Cisco, EMC to partner on data protection, PCI Product review: Promisec's Spectator Will Lockdown customers be left in the lurch? NAC, disk encryption gaining attention, survey shows Symantec fills gap with whole disk storage encryption Risk Assessment and Analysis Security data lapses hamper researchers Panel: IT governance, risk and compliance program helps reduce expenses Like MLB scouts, IT security pros are turning to metrics Google shares struggle to manage security complexities GRC Tools Help Manage Regulations Interview: Financial Services CISO David Pollino The New School of Information Security Penetration testing: Helping your compliance efforts Failure mode and effects analysis: Process and system risk assessment The pros and cons of data breach insurance Information Security Incident Response Product review: Mandiant Intelligent Response 1.0 Worst practices: Bad security incidents to avoid Incident response success in five quick steps The forensics mindset: Making life easier for investigators Data breach costs soar What are the proper procedures for handling a potential insider threat? Black Hat 2007: Estonian attacks were a cyber riot, not warfare Digital forensics tool Helix 'does no harm' The cost of data breaches: Looking at the hard numbers How should information security and networking groups coordinate firewall management? Information Security Incident Response Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary brute force cracking  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) Crash Course: Spyware  (SearchSecurity.com) email spoofing  (SearchSecurity.com) endpoint security  (SearchSecurity.com) phishing  (SearchSecurity.com) rootkit  (SearchSecurity.com) social engineering  (SearchSecurity.com) tunneling  (SearchSecurity.com) Wired Equivalent Privacy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary