Endpoint Security

MAP BUSINESS AND TECHNOLOGY PATHS
This might sound like a no-brainer, but it's a bit more complicated when you dig into it. We've learned to think of technology as complex mechanisms and sophisticated software. However, if you talk to an archeologist, the stone axe is also an example of technology. Ancient technology, yes, but technology nonetheless.

I think this opinion of what "technology" is, is the reason that we ignore a major type of technology that glues our present solutions together: people. When an organization engages in process reengineering, the first thing that they do is look at the relationship of people and how efficiently they exchange information in the quest to accomplish their mission. They ask how well they use the tools that have been afforded them and how many workarounds are in place to "fix" poorly engineered processes. All too often, we're given new technology, but instead of reexamining how we can put this new technology to good use, we just use it to take the place of an older process without understanding how it can make the overall process better.

Endpoint Security Author: Mark S. Kadrich 348 pages; $54.99 Addison-Wesley

We do this with our security technology by trying to make it completely transparent. We overlay it on top of our existing processes in the hope that we can get some level of increased protection without disturbing the user community. The problem with that is that it obscures the human element of the security problem to both the practitioners and the users.

To counter this, we must examine our business processes with respect to security so that we can understand where the human paths are with respect to the technology paths. We must also be willing to push for change where needed. Our technology paths, both human and technological, need to be understood if we're going to create a closed-loop process.

We need to be able to identify them and measure them to understand how much of an impact any delay is going to have on our security process. For example, your organization might have an automated patch management system that pushes patches and updates out to thousands of endpoints in a few minutes. Because of this technology, you can stand up in front of the board of directors and tell them that your solution pushes updates to vulnerabilities in minutes! The problem is that in many organizations there's a manual process of evaluating the patch, called regression testing, that can take as long as three months!

For more information Is there a way to integrate business continuity planning and operational risk management? Security expert Mike Rothman explains. Performing a risk assessment is only half the battle. Senior News Writer Bill Brenner explains the importance of communicating security problems to management.  Download the rest of Chapter 3: Something is Missing (.pdf).

I'm not saying that you should eliminate regression testing. What I am saying is that for a process control solution to work, you must embrace the idea that you do have human feedback paths that can dramatically degrade your ability to respond to an attack. Regression testing is a business process that has a huge effect on security. Another example of business and security intersecting is during the incident response cycle. Many people think of incident response as responding to an intrusion detection system (IDS) alert. What if I call the help desk and claim that I'm the CFO and I want my password changed? This is clearly an indicator that my network may be under attack and that something should be done, but how long will it take for this information to move through the business process of the help desk?

This means that we, as security people, need to understand our company's business processes and instead of saying "no," we need to find ways to say "yes" that encourage the business plan to grow and adapt to the changing business objectives. When new technologies appear, we need to understand how those technologies will impact our security and our ability to compete effectively in the marketplace. How many organizations, because the security group is afraid of it, haven't deployed wireless technology regardless of its demonstrated ability to simplify deployment and reduce associated costs?

Who do you think is going to win in the marketplace when the market gets tough and margins get small? The organization afraid to use technology because their security process can't handle it, or the agile group that understands, security and business processes can work together?

CAN WE BUILD A BETTER MODEL?
I believe the answer to this question is a resounding yes. I think that most of what we need is already here; we just need to connect it a little better than we have in the past.

Listen to author Mark S. Kadrich Securing an endpoint is easy -- keeping it secure is the real challenge. Hear author Mark S. Kadrich, as he reads a selection from Endpoint Security.

The answer lies in identifying how we allow risk to be introduced into our networks and setting a low limit that prevents endpoints that don't meet our criteria from joining. That instantly begs the question of how to define risk. Well, I think that's the wrong question to ask. I think we need to ask this: What is an acceptable risk? When I go car shopping, I know what I don't want. I don't want a car that's so old that it doesn't have air bags and antilock brakes. I don't want a car that has broken windows and bald tires. I don't want a car that has a torn-up interior or rusty fenders.

I know that I can have a mechanic go over the car with a fine-tooth comb, but that won't eliminate the possibility of a flat tire or an exploding engine later on. I've reduced my risk by examining the car prior to buying it, but I still run the risk that something could happen later.

What I have done by taking the effort to examine the car is begin the process of engendering trust. By setting a minimum level of capability, I have enabled myself to trust the system—in this case,my car—to behave in a manner acceptable to me. I believe that this is also possible on our networks. By setting a minimum level of capability, we can set a minimum level of trust in the systems that join our network.

Learn more about the old way of thinking that has controlled network designs and management techniques for too long. Download the rest of Chapter 3: Something is Missing (.pdf)

Note: Printed with permission from Addison-Wesley. "Endpoint Security" by Mark S. Kadrich. Copyright 2007. For more information about this title and other similar books, please visit www.awprofessional.com.

BROWSE BY TAG NAC and Endpoint Security Management,   Client security,   Enterprise Network Security,   Network Intrusion Detection and Analysis,   Information Security Incident Response,   Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Client security DLP technology challenges security costs Endpoint protection best practices manual: Combating issues, problems Kaspersky update for SMBs in wake of free Microsoft Security Essentials Microsoft makes free antivirus software widely available Security best practices in hotels Best Antimalware Products Perimeter defense in the era of the perimeterless network Microsoft Security Essentials (MSE) shows no vision, expert says Smart tactics for antivirus and antispyware Top tactics for endpoint security Information Security Incident Response Data breach notification legislation: What info must be released? Incident response planning Mature SIMs do more than log aggregation and correlation New partnerships, creative thinking help security bust recession Senators hear call for federal cybersecurity restructuring Tying log management and identity management shortens incident response Tabletop exercises sharpen security and business continuity Security incident response 101 Firms muddle security breach response, expert says Microsoft Conficker worm offers attack prevention lesson Information Security Incident Response Research Enterprise Risk Management: Metrics and Assessments How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary brute force cracking  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) Crash Course: Spyware  (SearchSecurity.com) email spoofing  (SearchSecurity.com) phishing  (SearchSecurity.com) rootkit  (SearchMidmarketSecurity.com) social engineering  (SearchSecurity.com) Wired Equivalent Privacy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary