The User's Point of View
And I just fail to see why this is new or noteworthy.
Some things that need to be noted.
Mr. Goldfarb is an incredibly intelligent person. He is also an accomplished and experienced security professional. He has years of Security operations experience, experience I do not have. His job is very much one in which he spends his time evangelizing FireEye Products and information security in general.
I think that some of my reaction comes from my background, and that might very well cover his viewpoint as well.
Mr. Goldfarb was never in IT operations. Rather he has spent his career almost exclusively in Security Operations. This is not a bad thing, and he will tell you at length why the two must be separate entities and why having a Sec.Ops. background is important for a CIO/CSO to function properly.
I disagree.
I came up through the IT world, so of course I have an IT Ops centric view of things. At one job the Sec. Ops. team was built form the IT and Network group. It gave Sec. Ops. an insight not only into how our network functioned, but into the human side of things as well. An understanding of who traveled where, which employees were killing the system updates because they worked late and when to expect total security failure due to specific employee activity.
Admittedly this was not at a HUGE company, we had ~200 total employees, 10% of which were in some way directly working with, for or in IT. We did however have about 70% of the company traveling internationally at least once a month, with 5 offices on 3 continents. This was a small but by no means simple environment. The extra insight allowed the Sec. Ops. team to head off major issues, prep for "walking disasters" and ignore normal activity coming from what might seem unusual locations.
I also worked for a contractor that provided the IT Ops, but not the Sec. Ops. for a government organization. The organization had several thousand employees, around 1% were involved in IT, and around the same percentage traveled regularly. The contractor that provided Sec. Ops. had no clue what was going on at the human level and there was constant work interruption because of misinterpreted activity. Either allowing malicious activity to continue unabated, or stopping legitimate activity because it tripped some pre-built signature. The employees and IT Support staff hated working with the Sec. Ops. group because they never seemed to know what was going on, despite being well staffed and very bright.
What I am saying is that employee aware correlation of events is nothing new, and no great surprise for anyone who has ever worked on/with a helpdesk. I have endless stories across multiple employers about strange event X that happened every single time a particular employee used a computer. Always traceable to something they were doing, and occasionally causing widespread issues. Ignoring those connections has never been a workable plan.
If the security world at large has so disconnected from those who use the infrastructure they are securing that Mr. Goldfarb's article is news, then I think its time to look again at the inclusion or exclusion of IT in the current Sec. Ops. mix.
Phishing, spear phishing, user targeting, etc... The list of attack techniques that focus on the employee and not the technology is extensive. It is extensive and the attacks are ubiquitous. Why is it a surprise that Sec. Ops. needs to know what the people who use the technology do in order to keep them and the work environment safe? We are supposed to be ensuring the safety of the business so that the people who work there can do business, whatever that business is. Does ignoring their business activities make sense? Is this idea something that CIOs and CSOs are unaware of?
On the other hand its always possible that Mr. Goldfarb happened to be thinking on this, that it was no great surprise or unusual insight, and he just needed a topic for a post.
In either case, I thank him for giving me a reason to write another post of my own.
On a related note (having to do with correlating your log events) --
Lately I have been spending a lot of time working with an ELK stack.
(if you don't know what it is, its a fantastic tool for correlating log events across servers, services and environments.... Its just not always the easiest thing to get running smoothly. You can find more on it here: https://www.elastic.co/ and if your either outsourcing your log collection or don't have any, its a great thing to invest some time into. It now goes into my list of things any IT dept should have.)
I am not yet fluent in its use, however it strikes me as trivial to use it in a manner that will correlate user login events with activities that raise eyebrows. Or even just timing. This might be the first step in allowing you to see who is doing what, when and even possibly where in an SMB environment.
No comments:
Post a Comment