This IT Defense commentary by Matt Mosher, a senior vice president at PatchLink Corp., advocates a new approach to security. Traditionally, he says, there has been a dividing line between IT security and operations. Security forces find problems and "lob them over the fence" to operations, who are charged with solving them.
This doesn't work anymore, he says. The sophistication of crackers, the explosion of vulnerabilities and the requirement that they be mended quicker than in the past means that a more cooperative process between security and operations is necessary. The idea is that detection and correcting -- remediation, in tech terms -- must be part of the same framework. There no longer can be an "us" and "them." Some issues are best solved by procedures other than patching, such as adjusting policies. Integration of the two sides allows smoother handling of these cases, which may require special attention.
The writer lays out three elements of the process. All levels of the organization, both technical and non-technical, must be involved, a security baseline must be established, and tools and methods enabling the IT group to work together need to be used. The feature provides detail on a variety of issues related to what this new and more comprehensive structure will look like.
There is ample evidence that the threats are growing in number and sophistication. This Wired blog posting focusing on the Chaos Communications Camp earlier this month in Germany provides good examples. The story describes a package called MPack from Rat Systems, which was written by Russian hackers. It includes malware tools that are periodically updated and even guaranteed. These initiatives seem as well executed as those of legitimate software developers. Organizations must understand this sophistication and wring as many inefficiencies as possible out of their internal processes.
In less specific terms than the IT Defense piece, this blog post does a good job of highlighting the need for a comprehensive approach to security. The blogger doesn't advocate any specific changes, but does a good job of suggesting the key questions that an organization should ask itself as it attempts either to improve its current approach or transition to another.
This Baseline Q&A with Motorola CSO Bill Boni makes much the same point as Mosher did, but a bit more subtly; data theft has become "monetized." The challenge in this environment is to find the balance between skimping on needed security and bogging down business processes. The answers are to focus on pivotal data and to include security in the operational functions. This sounds a lot like what Mosher advocates.
Organizations should realize that the security situation is going to get worse before it gets better, particularly if more modern conceptual approaches are not found. This Help Net Security piece outlines some of the security concerns of Web 2.0 within the context of Websense's HoneyJax, a product that mimics user behavior as a way to undercover and address security shortcomings.
While Mosher isn't the first to argue that a more comprehensive and flexible approach to security is a way of combating emerging threats, he makes the case quite well. The bottom line simply is that there are two elements to fighting crackers: tools and procedures. A focus on one to the detriment of the other is a strategic mistake.