VP, Product Management
J.R. Cunningham is an accomplished innovator and premier thinker in cyber security and risk management. As vice president of product management, Cunningham is responsible for maintaining Optiv’s industry leading advisory services offerings and developing innovative and practical solutions that solve real-world security challenges.
Leveraging Policy and Procedure to Get the Most Out of Cyber Defense Technology
Why Policy and Procedure is Critical to Effective Technology Countermeasure DeploymentTechnology countermeasures have come a long way since the dawn of information technology security. Just over a decade ago, IT security technology could be loosely categorized into endpoint and network security. With these broad categories one would have covered the vast majority of technology countermeasures available to mitigate risk. Fast-forward to the present: Even trying to categorize certain technologies into a broad “type” such as network security is difficult, especially when we consider cutting edge technologies centered around dealing with advanced persistent threats. Times have changed.
The complexity of cyber technology countermeasures is further complicated by how those technologies are deployed in an organization, and effective policy and procedure is an often-overlooked aspect of an effective cyber defense strategy. Mitigating risk with technology requires a balanced, risk-centric approach which is codified by an effective security policy and the appropriate procedures surrounding specific defenses.
One of my favorite examples of this concept is vulnerability management. A few years ago I was deploying a cutting-edge vulnerability management system for a client. The client asked me if we could exclude a block of IP addresses from being scanned by the vulnerability management solution. “Sure,” I replied, “What do you want to exclude?” The client’s reply startled me, “The phone system. Every time we scan it for vulnerabilities, it crashes.” I asked the client, a mid-level IT security analyst, if he thought this represented a vulnerability, as an attacker would certainly not exclude the phone system from a reconnaissance gathering mission, and therefore likely crash the phone system during a scan. “Of course, but our department gets lots of attention when we bring down the phone system, so let’s exclude it from being scanned.” As a cyber security professional, this represented a profound failure of policy and procedure in the risk management process. My client, in this instance, had all of the components necessary for effective situational awareness regarding vulnerabilities, and yet had a phone system that was vulnerable to the most basic pre-attack activity: A vulnerability scan.
I spent some time with this client and built an effective case to demonstrate to the CISO this real and acute risk that could be effectively mitigated in a number of ways. Approaching the phone system vendor for a software update was obviously the preferred approach, but several technologies existed to help mitigate this specific risk. This particular client had an IPS system in the network core, so creating a signature to block the specific attack that exploited the phone system vulnerability was also an effective method for both eliminating the vulnerability as well as allowing the vulnerability management system to effectively do its job.
Once the CISO understood the risk of an attacker taking down the phone system with a simple reconnaissance scan, she determined the appropriate approach was to go ahead and create the recommended IPS signature while attempting to provide a fix from the phone system vendor.
In this example, technology wasn't the issue: All of the tools necessary to identify and mitigate risk were present—the failure (which created vulnerability) was in procedure. A coherent explanation of the risks to the CISO was the only thing necessary to enable a risk-centric decision.
Another common example of this phenomenon is Intrusion Prevention. So often my clients shut off the medium level signatures on their IPS as well as protocol anomaly detection because their custom applications trigger “false positives”. Often times, these “false positives” are actual vulnerabilities or weaknesses in custom code which are ignored, not by policy, but rather by lack of policy and procedure surrounding such risks. Again, in this instance, all of the technology exists to mitigate risk, but often times we make “lack of policy” decisions at the technical level within an organization and aren’t able to effectively communicate such risks in a business-centric view to an appropriate risk decision maker (CISO, CIO, etc…).
The solution, albeit simple, takes dedication and commitment at all levels within an organization. Before technologies are deployed, a basic policy and procedure framework should be established as part of the requirements definition for a new cyber defense technology. In the vulnerability management example, for instance, some basic policy and procedure items would be: The scanning interval, how detailed the routine scans will be, how quickly vulnerabilities of a particular severity will be patched, how discovered vulnerabilities are communicated within the organization, and how patched vulnerabilities are verified.
Once a basic policy and procedure framework is in place and the technology deployed, further procedure work is necessary to fine-tune how the organization adopts and manages the new risk-mitigation technology. Just as we fine-tune technical countermeasures during their lifecycle, we must also fine-tune our policy and procedures to ensure we are getting the maximum possible situational awareness and risk mitigation from the technology.
Cyber defense is complex, and effective risk management is a complex relationship between technology, process, and people. Effective policy and procedure is a critical component in cyber defense and should be given its due attention in any cyber defense strategy.
As published in Cyber Defense Magazine