In advance of the upcoming Black Hat conference, the organization released a first-ever research report based on results of a survey to prior conference attendees. The report, titled, “2015: Time to Rethink Enterprise IT Security”, “reveals a significant gap between the priorities and concerns as well as the actual expenditure of security resources in the average enterprise.”
How stark is this gap?
Top concerns listed in the report include sophisticated targeted attacks (57% of respondents) and social engineering (46% of respondents). Security professionals, however, are actually spending their time in other areas, including addressing vulnerabilities introduced by internal (35%) and off-the-shelf software (33%).
Such a gap between importance and activity is not really news. We wrote about a similar gap showing that while 56% of respondents to a survey would be looking to increase their security spend to deal with insider threats next year, the leading categories where organizations plan to actually increase their security spend during the next 12 months were: Network defenses (52%), Endpoint, Mobile device protection (50%), and so on. There’s a disconnect there, too.
What’s the source of this ongoing gap?
I would contend that it is a lack of maturity, a lack of security maturity to borrow a phrase from Brian Krebs, that leads to the disparity between security priorities and actual activities. When organizations are focused on the “blocking and tackling” – like finding and fixing vulnerabilities, standing up new firewalls, or endpoint security tools – without the right philosophy, people structure, process or technology platforms in place, they will always find themselves spinning in an infinite loop of breach response madness.
How to overcome the maturity gap
I’m going to borrow a simple security model developed by the Enterprise Strategy Group (and noted in Brian’s article mentioned above) that will help you assess where you are now on your journey to becoming a more mature security organization. For illustration purposes, I will map common attributes in the context of privileged account management and vulnerability management to the levels in the model. The activities would differ of course based on the topic you wish to assess.
Basic Security Model
- Manual processes for managing privileged passwords, including spreadsheets, wetware
- Nearly all users in the organization have administrator access on their machines
- No session monitoring or recording of privileged use
- Lack of auditing and control over root accounts and privileged accounts
- Disorganized and chaotic directory services infrastructure, with multiple logons required and inconsistent policy
- No visibility over changes made to AD objects, configurations or permissions
- Individual patching, management and policies by system in a complex, heterogeneous environment
- No singular clear picture of threats or what to do about them
- Some automation and some cycling of some privileged passwords
- 50% or fewer users with administrator credentials in the organization
- Some session monitoring for compliance purposes, snapshotting
- Common use of the root account, with some auditing of usage, perhaps using sudo
- Few, but not one login to heterogeneous systems
- Some change auditing, but lacking recovery of unwanted changes
- More automated scanning on vulnerable systems
- Threat analytics mostly from SIEMs
- Automated password and session management of all shared accounts
- Least privilege implemented organization-wide, on all systems and machines
- Automatic recording of keystrokes/video/over-the-shoulder activities
- Full control and accountability over privileged users on any system, eliminating root access or insufficient methods like sudo
- Single sign on for heterogeneous systems leveraging familiar infrastructure
- Full auditing and recovery of changes across the environment; Ability to proactively know and deliver what auditors are looking for
- Automated scanning, patching and reporting of vulnerable systems
- Integrated threat analytics to improve decision making
