We’ve all seen the action of Security Theater before, We walk into a building where they interrogate our identification and ask for proof of blood samples or DNA yet the loading dock is unmonitored, or we’re asked for numerous forms of identification over the phone and still allowed to let slide even without that information, or the best example; We get the complete shakedown at the airport while passing through the security checkpoints while so many other entry points go unchecked and unmonitored.
But we’re not here to discuss physical security, no. We’re here to discuss the security theater that we see in IT organizations every day. Security theater is masqueraded under so many masks such as from our previous discussions of “TROUBLESHOOTING VS COMPLIANCE SECURITY; LOGGING WITHOUT BORDERS? and LOGGING; WITHOUT A COMPLETE PICTURE, WHAT’S THE POINT?. For some organizations these are merely checkboxes, but you have to ask yourself, are you safe if you don’t know who’s going through which doors at which times, and if that information is not logged? That was the importance of the discussion of knowing what is logged, how deeply you interrogate those logs, and how long you retain that information.
A lot of us focus on Network availability, Network Resiliency thus the need to restrict and restrain what information we collect, yet just like any building, call center or airport, if all of the points of entry are not secured or at least monitored it’s all a ruse driven based upon hope and trust instead of truly securing the facility.
Protecting the security of your organization isn’t merely limited to knowing what is being logged, where it is being logged, how often it is being retained and equally knowing what information isn’t being collected or logged. It covers numerous areas a few of which below (While not being an exhaustive list)
- Monitoring of vendor controlled and embedded devices
Did you know that embedded devices which sit on your network which you technically have no ‘control’ over (think GE, heart rate monitors and MRI machines in hospitals for example) still need to be patched and monitored, even though you don’t really have that ‘insight’ into them?
- East West and North South traffic
With threats constantly on the rise, we’ve done an okay job of watching traffic as it enters the Edge and allowing/disallowing it as it traverses North to South, but once the traffic is already in the network, most organizations not only have no visibility nor do they have any real awareness of what is going on. This has become the greatest threat vector to get a grip upon.
- Actionable Threat Intelligence
In the event of a breach, how quickly can you identify and mitigate it? Thought of as a different way, if you have an Intrusion Detection System (IDS) and a breach does occur, what can you do about it? Knowing a criminal is inside your house does nothing if you don’t have any way to handle it once breached.
It’s a shame there is no one panacea to resolve these kinds of threats, risks and dangers which plague our environments every single day.
What are some other areas you see IT Departments practicing security theater? Do these examples resonate with you, and what do you think we can do about it?