cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Maintaining a Secure Environment: Use Cases Build a Security Policy

Level 10

Security is a key operational consideration for organizations today because a breach can lead to significant losses of revenue, reputation, and legal standing. An entity’s environment is an ecosystem comprised of users, roles, networking equipment, systems, and applications coming together to facilitate productivity and profitability as securely as possible. An environment will never be 100% secured against all threats. The next best option is to be proactive to defend against known attacks and to provide real-time, adaptable monitoring capabilities to detect and alert on behaviors outside of what are considered normal in the environment.

This blog series will present suggestions and guidelines for building and maintaining an environment for administrators to defend against and mitigate threats.

Security is no longer just an overlay to a network topology. Security methods provide protection for data, access, and infrastructure, and should be defined and deployed based on a carefully defined security policy. An effective security policy integrates well-known protection methods into a network in a way that meets both security standards and the business goals of the entity being secured. This is facilitated by defining use cases representing key business drivers, such as:

  • Improved efficiency through streamlined security processes reducing operational expenses in terms of time, money, and personnel
  • Increased productivity through well-defined and applied policies correctly balancing the level of access with perceived risk
  • Better agility allowing for efficiency with respect to the implementation of compliance and regulatory objectives, migration strategies, and risk mitigation techniques.

Identifying use cases is often the catalyst for a security policy review. Remember, each entity within an organization will have its own objectives. Even if things look typical on the surface, to sell the security policy, its benefits must be apparent to each stakeholder.

Here are some common use cases and relevant details a security policy should outline.

  • Performance and Availability
    • SLA requirements
    • Capacity and potential growth
    • Efficient use of bandwidth and device resources
    • Planning for redundant designs
  • Audit and Logging
    • Compliance or legal requirements
    • Compliance demonstration during audits
    • Granularity of monitoring and control
      • Per user
      • Command level
    • Detect suspicious behavior of log sources
    • React to expected host/log sources not reporting
    • Installation of agents on endpoints or collectors
    • Consolidation of log sources for a single view
  • Monitor/troubleshoot
    • What is the cost of downtime?
    • Acquisition and placement of management tools
    • What key events need to be highlighted?
    • Application of analytics, rulesets, and alerts
    • Escalation chain to handle alerts and incident response
    • Automated controls versus user intervention
    • Issue reporting mechanisms and management protocols
    • Support costs: in-house, outsourced
  • Asset Provisioning
    • Centralized repository versus per-device
    • Need for multiple levels of control
    • Automation of distribution
    • Change management processes
    • Vulnerability assessment strategy
  • Acceptable Use Monitoring
    • Employee monitoring
    • Analyzing user behavior to detect potentially suspicious patterns
    • Analyzing network traffic to pinpoint trends indicating potential attacks
    • Identifying improper user account usage, such as shared accounts
    • Publishing policies for the use of the organization’s resources
    • Develop a baseline document to outline threshold limits, critical resources information, user roles, and policies, and apply this to a monitoring system, service, or playbook
    • Legally acceptable method of handling breaches
  • Threat Playbook
    • Identify the threats and attacks of concern (could be industry-specific):
      • Detecting data exfiltration by attackers
      • Detecting insider threats
      • Identifying compromised accounts
      • Detection of brute force attacks
      • Application defense checks
      • Malware checks and update process
      • Detection of anomalous ports, services, and unpatched hosts/network devices
      • Incident investigation process
    • Proactive threat hunting
    • Engaging legal entities and incident response personnel

In summary, a security policy builds the foundation for a secure network, but it must be valuable and enforceable to an organization and all stakeholders.

In the next blog in this series, we’ll look at how use cases can be mapped to the components in the environment.

11 Comments
Level 13

Thanks - looks like it will be another good series.

Level 14

Thanks for the thorough article!  Looking forward to more from this series.

Level 12

One day I would love to work at a company where the executives in charge of budgeting take security seriously BEFORE a breach.

MVP
MVP

Thanks for the thorough article!

MVP
MVP

Good information - I love the bullet points - I HAVE TAKEN THIS INFO INTO MY SECURITY PILE. 

You know.. I met with Palo Alto today .. and as we were discussing security .. I realized that I had finally impressed upon our management to spend some money on security.  Why did I have to act like a buffoon ... more than once .. I hate behaving like a 5 year old!   We had the budget presentation to the board of directors a couple weeks ago, and management finally intends to have some type of assessment done this year!!! Whew... !!!  ntimms ,  I really appreciate you taking the time to provided this information!

In "Rick-Perfect-World" all those items would be mandatory before any users were allowed to have logins or equipment or network access.  Management would be required to provide budget and ongoing training and appropriate staffing levels.  Users would be required to successfully pass quarterly or monthly training tests.  Security would train users then test them randomly and frequently with fake phishing e-mails that would catch folks who might make mistakes--and then help them understand how to recognize phishing and deal with it correctly.

Thanks for making the list!

Level 20

Using the NIST 800-53 security controls as a guide is very effective.

Level 11

Yeah, too bad it takes either a massive breach or a higher power mandating these things be assessed and then implemented (without the budget to do so). Oh, usually after there are repeated attacks, hacks and breaches.

Level 14

ISO27001 External audit in 8 days here.  Fingers crossed.

Level 11

Thanks for the article.

Level 12

thanks for the post