Introduction
With the growing awareness that cyber security is an urgent priority for any business, there is a ready market for intelligent and automated security defenses. The silver bullet against malware and data theft is still being developed (I promise!), but in the meantime, there are hordes of vendors that will sell you the next best thing.
The problem is, who do you turn to? According to, say, the guy at the firewall in Palo Alto, your appliance is the number one thing you need to better protect your company’s intellectual property, although if you later talk to the guy selling the FireEye sandbox, he might not agree. and tell you that you need one of your boxes to protect your company from malware. Even then, the McAfee guy will tell you that endpoint protection is where it’s at: your Global Threat Intelligence approach should cover you for all threats.
In one respect, they’re fine, all at the same time: you need a layered approach to security defenses, and you can rarely have “too much” security. So the answer is as simple as ‘buy and deploy as many security products as you can’?
Cyber Security Defenses: Can You Have Too Much of a Good Thing?
Before you draw up your shopping list, keep in mind that this is all really expensive, and the idea of buying a smarter firewall to replace your current one, or buying a sandbox to augment what your MIMEsweeper already provides greatly, requires a pause to think. What is the best ROI available, considering all the security products on offer?
Arguably the best value for money security product isn’t really a product at all. It doesn’t have flashing lights, not even a sexy-looking case that would look good in your comms cabinet, and the datasheet features don’t list any impressive packet-per-second throughput ratings. What a good change management process will give you, however, is complete visibility and clarity of any malware infection, any potential weakening of defenses, as well as control over service delivery performance.
In fact, many of the best security measures you can take can seem a bit boring (compared to a new network kit, what doesn’t seem boring?), but to provide a truly secure IT environment, best practices security are essential.
Change Management: The Good, the Bad, and the Ugly (and the Downright Dangerous)
There are four main types of changes within any IT infrastructure.
- Good planned changes (expected and intentional, which improve service delivery performance and/or improve security)
- Poorly planned changes (intended, expected, but poorly or incorrectly implemented that degrade service delivery performance and/or reduce security)
- Good Unplanned changes (unexpected and undocumented changes, usually emergency changes that fix problems and/or improve security)
- Incorrect unplanned changes (unexpected, undocumented, and unintentionally creating new problems and/or reducing security)
A malware infection, intentionally by an Inside Man or an external hacker, also falls under the last category of incorrect unplanned changes. Similarly, a rogue developer implanting a backdoor into a corporate application. Fear of a malware infection, be it a virus, a Trojan or the new malware buzzword APT, is often the top concern for CISOs and helps sell security products, but should it be?
A bad unplanned change that inadvertently makes the organization more prone to attacks is much more likely than a malware infection, as every change made within the infrastructure has the potential to reduce protection. Developing and implementing a hardened build standard takes time and effort, but undoing the laborious configuration work only requires a clumsy engineer to take a shortcut or introduce a typo. Every time a bad unplanned change goes undetected, the once-secure infrastructure becomes more vulnerable to attack, so when your organization is affected by a cyber attack, the damage will be much, much worse.
To this end, shouldn’t we take change management much more seriously and strengthen our preventative security measures, instead of relying on another device that will remain fallible when it comes to zero-day threats, targeted phishing and direct security incompetence?
The change management process in 2013: closed loop and full visibility of the change
The first step is to get a change management process in place – for a small organization, just a spreadsheet or a procedure to send an email to all stakeholders to let them know a change is going to be made at least provides some visibility and some traceability if problems arise later. Cause and effect generally applies when making changes: whatever changed last is usually the cause of the last problem experienced.
That is why, once the changes have been implemented, some checks must be carried out to ensure that everything was implemented correctly and that the desired improvements have been achieved (which is what makes the difference between a Well-Planned Change and a Poorly Planned Change).
For simple changes, let’s say a new DLL is implemented on a system, this is easy to describe and easy to review and verify. For more complicated changes, the verification process is similarly much more complex. Unplanned changes, good and bad, present a much more difficult challenge. What you can’t see, you can’t measure, and by definition, unplanned changes are often made without documentation, planning, or knowledge.
Contemporary change management systems use file integrity monitoring, which provides zero tolerance for changes. If a change is made, either to the configuration attribute or to the file system, the changes will be logged.
In advanced FIM systems, the concept of a time window or change template can be predefined in advance of a change to provide a means of automatically aligning RFC (Request for Change) details with actual detected changes. This provides an easy means of observing all changes made during a planned change and greatly improves the speed and ease of the verification process.
This also means that any changes detected outside of any defined planned changes can immediately be classified as unplanned and therefore potentially harmful changes. Investigation becomes a priority task, but with a good FIM system, all recorded changes are clearly presented for review, ideally with “Who made the change?” date.
Summary
Change management always features heavily in any security standard, such as PCI DSS, and in any best practice framework, such as SANS Top Twenty, ITIL, or COBIT.
If change management is part of your IT processes, or your existing process is not fit for purpose, perhaps this should be addressed as a priority? Coupled with a good enterprise file integrity monitoring system, change management becomes a much easier process, and this may be a better investment right now than any flashy new device.