Security is a key operational consideration for organizations today because a breach can lead to significant losses of revenue, reputation, and legal standing. An entity’s environment is an ecosystem comprised of users, roles, networking equipment, systems, and applications coming together to facilitate productivity and profitability as securely as possible. An environment will never be 100% secured against all threats. The next best option is to be proactive to defend against known attacks and to provide real-time, adaptable monitoring capabilities to detect and alert on behaviors outside of what are considered normal in the environment.
This blog series will present suggestions and guidelines for building and maintaining an environment for administrators to defend against and mitigate threats.
Security is no longer just an overlay to a network topology. Security methods provide protection for data, access, and infrastructure, and should be defined and deployed based on a carefully defined security policy. An effective security policy integrates well-known protection methods into a network in a way that meets both security standards and the business goals of the entity being secured.This is facilitated by defining use cases representing key business drivers, such as:
Improved efficiency through streamlined security processes reducing operational expenses in terms of time, money, and personnel
Increased productivity through well-defined and applied policies correctly balancing the level of access with perceived risk
Better agility allowing for efficiency with respect to the implementation of compliance and regulatory objectives, migration strategies, and risk mitigation techniques.
Identifying use cases is often the catalyst for a security policy review. Remember, each entity within an organization will have its own objectives. Even if things look typical on the surface, to sell the security policy, its benefits must be apparent to each stakeholder.
Here are some common use cases and relevant details a security policy should outline.
Performance and Availability
Capacity and potential growth
Efficient use of bandwidth and device resources
Planning for redundant designs
Audit and Logging
Compliance or legal requirements
Compliance demonstration during audits
Granularity of monitoring and control
Detect suspicious behavior of log sources
React to expected host/log sources not reporting
Installation of agents on endpoints or collectors
Consolidation of log sources for a single view
What is the cost of downtime?
Acquisition and placement of management tools
What key events need to be highlighted?
Application of analytics, rulesets, and alerts
Escalation chain to handle alerts and incident response
Automated controls versus user intervention
Issue reporting mechanisms and management protocols
Support costs: in-house, outsourced
Centralized repository versus per-device
Need for multiple levels of control
Automation of distribution
Change management processes
Vulnerability assessment strategy
Acceptable Use Monitoring
Analyzing user behavior to detect potentially suspicious patterns
Analyzing network traffic to pinpoint trends indicating potential attacks
Identifying improper user account usage, such as shared accounts
Publishing policies for the use of the organization’s resources
Develop a baseline document to outline threshold limits, critical resources information, user roles, and policies, and apply this to a monitoring system, service, or playbook
Legally acceptable method of handling breaches
Identify the threats and attacks of concern (could be industry-specific):
Detecting data exfiltration by attackers
Detecting insider threats
Identifying compromised accounts
Detection of brute force attacks
Application defense checks
Malware checks and update process
Detection of anomalous ports, services, and unpatched hosts/network devices
Incident investigation process
Proactive threat hunting
Engaging legal entities and incident response personnel
In summary, a security policy builds the foundation for a secure network, but it must be valuable and enforceable to an organization and all stakeholders.
In the next blog in this series, we’ll look at how use cases can be mapped to the components in the environment.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community.
More than 150,000 members are here to solve problems, share technology and best practices, and directly
contribute to our product development process.