Information security is a tricky topic when it comes to business. On one hand, businesses want to be secure to prevent themselves from generating negative headlines or having to tell their customers that they failed to protect their data. On the other hand, they don’t want to spend a lot of money on something they see no tangible results for, especially when that something often times gets in the way of easily doing business. Because of this, many companies either ignore information security, or do only the bare minimum to appease clients or regulatory compliance. As a direct result of ignoring or doing the minimum when it comes to security, many of those companies are breached (easily) and data stolen (also easily).
Some companies strike a compromise – seeking to implement and maintain a secure environment, without necessarily breaking the bank doing so. They implement policies and procedures that offer a fair degree of safety and security, but also give the business the flexibility to achieve it’s business objectives. The smart companies know that no system is every truly fully secure – or else nothing would get done. The real key is to have a comprehensive, yet sane, global information security program. The focus should be on maintaining a constant level of security appropriate to the environment through a series of security controls. This should include an incident response plan that details who the players are in any security incident response scenario, and clearly defines what their roles and responsibilities are.
One aspect of information security that I’d like to focus on is event monitoring and correlation. The key here is to monitor the environment, know what’s going on, and be capable of reacting to security incidents fast and decisively. Whether done in-house, or probably more cost effective, contracted as a managed service, security monitoring and event correlation is a huge help in knowing what’s going on inside your network. I’m amazed at how many companies I’ve seen that don’t have basic monitoring inside their organizations. These companies (and colleges and universities) are operating blind. They have no visibility into the goings-ons inside their own networks, and as a result are often completely clueless as to the threats running rampant there.
In college I noticed that there didn’t seem to be any way to know what was going on with the campus network. Viruses ran rampant (blaster, anybody?) and nobody would know until the network would slow to a crawl. I was able to solve the problem for them with a passive detection tool – a virtual honeynet. We went from not knowing to knowing within seconds of an infected machine being brought onto the network, and were able to respond appropriately.
Just having the detection systems in place is not enough, though. For every company that doesn’t have any detection at all I’ve seen at least one more that had it, but didn’t monitor it unless something happened that caused them to look. That’s worse than useless! If you’re going to invest time and energy into getting a detection system, you need to ensure it’s monitored (constantly, just because it’s not business hours doesn’t mean someone’s not trying to break in) – either in house or by a managed security services provider.
Obviously I’m glossing over a lot here. I’m not attempting to write an in-depth discussion of information security as a whole. I did, however, want to point out an area of infosec that I’ve personally experienced as offering a significant benefit, yet seen lacking in many organizations.
