Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/13/2015
11:00 AM
Steve Riley
Steve Riley
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Better Together: Network Operations & Infosec

Getting networking and information security teams together in the same room is a critical step for companies that want to build a continuous information security culture.

The recent computer attacks against Anthem and Premera Blue Cross are the latest case studies that demonstrate the necessary convergence of IT and security operations. This is something information security professionals should welcome, even demand. In fact, the network operations team can be an information security department’s best resource for gaining understanding and insight into an organization’s security operations, which traditional security solutions and best practices alone cannot provide.

Understanding what “normal” network activity looks like is critical to quickly spotting suspicious activities that point to a malicious outsider or insider, or a mistake by an innocent employee that result in data theft or loss. However, bridging the gap between the Network Operations Center (NOC) and Security Operations Center (SOC) is not only a technology challenge, but also an organizational one. There are three keys to fostering this collaboration:

  • Eliminating the silos that separate both systems and personnel, 
  • Creating joint emergency response teams comprised of network operations and information security personnel, and
  • Implementing a long-term plan for how to constantly improve processes and training.

In the typical IT organizational chart, network operations is responsible for ensuring system performance and information availability, while information security focuses on protecting those systems and information stores from threats. Typically, as Rudyard Kipling wrote, “and never the twain shall meet.” However, the spate of high-profile breaches against large companies across retail, financial services, and healthcare over the last year show that must change.

In most of these cases, the companies were not aware they had been breached until a third party notified them. Although Anthem discovered its breach on its own after a database administrator noticed a query running with his account that he didn't initiate, that discovery wasn’t made until after the attacker had spent six weeks silently stealing information.

For an enterprise, the key takeaway is its critical need to be able to detect activities on the network that can lead to a data breach. That capability is diminished by the fact that security operations and network operations typically work in silos. That means security vulnerabilities have to be handled twice: first by the SOC, which has evidence of malicious activity but often no mechanism for actively stopping it, and then again by the NOC, which needs to wait for specific instructions from the SOC. Any time delay here creates advantages for an attacker.

Additionally, most technology systems and business applications work in their own silos and do not communicate with one another. Consequently, IT cannot streamline and automate information sharing or event correlation between security vulnerabilities and performance issues. Here are four steps to overcome this organizational hurdle:

Step 1: To maximize insight, foster teamwork
The first step is to acknowledge the value of the network team in security operations. Network engineers have visibility and access to forensic data that simply doesn’t exist in other parts of an organization. Once IT leadership acknowledges this, the next step is all about putting the tools and processes in place to integrate network resources into security processes. It sounds simple, but having a thorough understanding of normal is a critical factor in preventing potentially harmful activity on your organization’s network.

Step 2: Packet capture meet SIEM
Security teams should work to leverage the network team’s investments in packet capture agents, packet analyzers, NetFlow sources and deep packet inspection performance monitoring. Often these can be tightly integrated into a Security Incident Event Management (SIEM) system for high-fidelity visibility, and quick pivots into useful forensic data. It’s also worth noting how the Premera breach serves a reminder to information security professionals that joining forces with the network team does not obviate the need to continue traditional due diligence. Premera had failed to install the most recent security patches, opening the door to the attackers.

Step 3: Change the culture but hands off also applies
In terms of fostering collaboration, there should be clear roles and responsibilities across NOC and SOC teams, supported by well-defined “hand-offs.” Documenting them isn’t enough. You have to use them, analyze key weaknesses, and continuously improve them. Joint emergency response teams enable broader insight, increased tribal knowledge, faster artifact gathering, well-rounded analysis, and ultimately a stronger information security posture. Identify and appoint a strong leader who can rally the troops, and mold them into a cohesive team passionate about continuous improvement – not just compliance.

Step 4: Don’t accept the status quo
With a strong base to build upon, an organization should turn its focus to accelerating and improving its capabilities. Never be satisfied with the status quo. To optimize operations, leverage techniques from traditional continuous improvement strategies such as Theory of ConstraintsLean, or lessons learned from the DevOps movement.  Invest in training and skill development so your people are effective and empowered, break work down into smaller chunks so it flows smoother, automate to gain operational efficiencies, and measure risk, performance and quality of operations.

Threats are getting increasingly harder to discover, and attackers are more brazen than ever. Getting network operations and information security teams together in the same room for the first time will be a critical step for organizations that want to build a continuous information security improvement culture capable of defending against those threats.

Steve actively works to raise awareness of the technical and business benefits of Riverbed's performance optimization solutions, particularly as they relate to accelerating the enterprise adoption of cloud computing. His specialties include information security, compliance, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24376
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
CVE-2021-24377
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
CVE-2021-24378
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
CVE-2021-24379
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
CVE-2021-24383
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue