We have seen great strides in improving security tooling and processes over the past ten years. Via constantly maturing security models, security teams have become increasingly dependent upon an ever-more complex toolchain of products and services.
But what happens when these systems fail. How much effort are we putting into planning and maintaining our security solutions to ensure they’re available when issues occur?
The First Step? Knowing What’s on Your Network
One of the first steps to improving security availability is identifying the key tools and processes that you depend upon both during normal operational scenarios as a team’s “daily drivers” and during specific scenarios relating to security incidents. It’s easy to see how your infrastructure’s perimeter firewall plays a key role in ensuring access in and out of your network, and thus downtime can impact normal operations. But does an outage of your file integrity monitoring
solution have a similar impact if it lets a suspicious file or setting propagate on your network?
I’d suggest creating a tiered system for your security products to identify your availability needs, factoring in various considerations including the requirement for the service to operate during an organization-wide failover scenario, the importance of “fresh” data, and the level of effort required to failover and failback.
But What’s "Security Availability," Anyway?
The next thing item I’d suggest is determining what availability should look like for a given application or appliance. Backup and High Availability
(HA) are widely understood in the world of IT, but implementing a generic “one size fits all” approach to backups and HA can result in a burdensome design that increases the overhead for maintenance. Instead, I’ve seen the most successful firms succeed with a strategy that has “availability classifications,” which identify the recovery time objectives for a given application based on the impact of a service being unavailable.
When we talk about availability, many organizations talk about measures of 9’s. For example, “Five 9’s” represent 99.999% availability, which results in an acceptable downtime of less than 5.26 minutes per year. This is a lofty goal without full automation of your security tools availability, and it’s probably not something that’s appropriate in all scenarios. Defining a goal for security availability can help provide a solid measurement against which success can be evaluated, thereby driving good practices. (No one wants bad change control to be responsible for down time if it’s being tracked 24/7!)
Don’t Forget about Backups and Testing!
I’d also make sure that backups are part of your security planning. Whilst outages are obvious weaknesses, backups of critical forensic data are potentially even more critical, especially when you consider how valuable your security data is to your organization. As with the design of your availability plan, your backup design should consider frequencies that reflect your tolerances levels for loss of data in the event of a rollback. They may even be part of your compliance requirements to keep historical data as evidence for auditing.
A further key aspect is the maintenance and testing of whatever security availability method you’ve adopted. All too often, I’ve seen firms fail to run through test scenarios to verify that backed up data or high availability services work as expected. An untested HA or Backup doesn’t raise as many alarm bells as a production system, but when you failover or revert to a backup in a disaster, you need 100% confidence, not just in the process but in the state of the service.
Where the Cloud Comes In
A final consideration should be given to cloud services, that is, where you might have less control over availability directly when it’s managed by a third party. In scenarios where you leverage a cloud service, it’s therefore important to understand your service providers’ goals for availability and data recovery and ensure they align with your business’ goals. Most vendors are willing to share availability data, so make sure you’ve reviewed this when weighing the option of an on-premise tool versus a hosted solution.
An Important Element of Your Organization’s Security Posture
Security teams have long understood that gaps harbor some of the largest risks that exist. Exploring your business’ security availability is an important step to plugging a key gap. Being prepared not just for the security breach scenario but the security breach which occurs during a moment of extreme vulnerability like a failover or disaster recovery, therefore, seems all the more important and worthy of consideration in your overall security plan.