Skip to content ↓ | Skip to navigation ↓

This is the time of year when you start seeing lots of predictions about things that will happen next year.  With that in mind, I thought I would predict the predictions I think we’ll see for 2012.

When I get out my crystal ball, I think the others’ predictions will break down something like this:

  • There will be more security breaches.
  • Virtualization and “the cloud” will introduce more risk.
  • Mobile devices will introduce more risk.
  • The threats will be more complex.
  • Spending on security will increase.
  • SIEM will save the day.
  • SIEM will become irrelevant.
  • China and Russia are out to get your data.
  • Insiders are your biggest threat.
  • Hackers are your biggest threat.

You get the idea – lots of fear and a fair amount of contradictions.  So what?  What will this change about how you operate and secure your infrastructure?  Read on for what you should do about this, and my prediction for 2012.

When considering how to react to the threats mentioned in a lot of the predictions, for many of the more effective security organizations, the answer is “Not much will change.”  Why?  Because they follow a timeless security strategy that doesn’t rely on “silver bullets,” hope, or luck.  Here is a short list of things the high performers do:

Gain situational awareness

This means developing the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regard to the mission of your business.  In this step:

  • Identify and rank your critical business processes and the assets supporting them according to risk (high, medium, low is probably good enough for most of us)
  • Determine and document what technologies and processes are being used to secure & manage those assets (if you’re overwhelmed with the amount of work this implies, start with High – that’s where the most leverage will be)
  • Look at indicators of potential risk from the past (repeat audit findings, frequent outages, security attacks, etc.)

Reduce and Monitor Privileged Access

This involves making it hard for people to access and make changes to your most precious infrastructure and data.

  • Locate the infrastructure that poses the largest risk to business objectives and understand how it’s controlled – and ensure that access is properly restricted
  • Look for administrators who have high levels of privilegeReduce access (1 is too few, 25 is too many)
    • Why?  Admins can introduce likelihood of errors, downtime, security incidents, and fraud because they…
      • Can affect mission critical IT services
      • Can modify logical security settings
      • Can add, remove and modify application functionality
      • Mistakes are most likely cause of problems
  • Implement preventive controls:
    • Reconcile admins to authorised staff and delete any ghost accounts
    • Ensure reasonable number of adminsIssue and revoke accounts upon hiring, firing, reassignment
  • Implement detective controls:
    • Monitor privileged user account adds, removes and changes
    • Reconcile each user account change to an authorised work order
    • Reconcile each user account to an HR record
    • Implement account re-accreditation procedures

Define & Enforce Configuration Standards

The goal is to create known, trusted, stable, secure and risk-reduced configuration states

  • Leverage external configuration guidance, such as the Center for Internet Security (CIS); the SANS Institute; NIST / DISA guidelines; vendor hardening guidelines – modify them if you like, but you don’t have to reinvent the wheel
  • Harden your environment according to the standards you select – you can use a Security Configuration Management (SCM) product to help you
  • Use an automated solution to continuously assess, record, and validate actual configurations vs. standards

Integrate & Enforce Change Management Processes

  • Why? Information security needs change management to…
    • Gain situational awareness of production changes
    • Influence decisions and outcomes
    • Understand risks vs. requirements
  • Security adds value in the change management process by:
    • Assessing the potential information security and operational impact of changes
    • Improving procedures for change authorization, scheduling, implementation and substantiation
    • Ensuring that change requests comply with information security requirements, corporate policy, and industry standards
  • Security becomes part of the solution by:
    • Implementing preventive controls
      • Get invited to the Change Advisory Board (CAB) meetings
      • Ensure “tone at the top” to create defined consequences for violating the rules (and help define those consequences)
    • Implementing detective controls
      • Build and electrify the fence (i.e. keep people from making uncontrolled changes to production)
      • Substantiate that all changes are authorized
      • Look for red flags and indicators exposed through continuous configuration monitoring

Create a Library of Trusted Builds

The goal is to make it easier to use known, stable and secure builds than it is to use unauthorized, insecure builds

  • Implement preventive controls, such as:
    • A defined, documented process of how to assemble hardened and stable builds and configurations
    • Work with any existing server and network provisioning teams to add any standard monitoring agents
    • Ensuring that application and service account passwords are changed before deployment
  • Implement detective controls, such as:
    • Monitoring and recording infrastructure state continuously
    • Verifying that deployed infrastructure matches known good states
    • Verifying that configurations against internal and external configuration standards
    • Monitoring the approved configuration library and all builds to ensure for all adds, removes and changes
    • Reconciling all adds, removes and changes to an authorized change order
Virtualization can help some in this area, if you leverage a definitive VM library containing templates that are already hardened to your standards.  That makes it easier to deploy trusted infrastructure, making it less likely people will roll their own infrastructure.

Integrate Security Into Release Management Processes

  • Release management and information security both require standardization and documentation:
    • Checklists to make sure you’re consistent and don’t forget anything – use checklists even if you use automation!
    • Detection and reduction of variance is key to reducing your total cost of ownership, increasing your security, and decreasing risk
  • Implement preventive and detective controls, such as:
    • Developing shared templates with release management, QA and project management and integrating security into their checkpoints
    • Integrating automated security testing tools (such as assessing the configuration of systems against your security configuration standards prior to deploying)
    • Comparing preproduction and production images, and reducing any variance

Ensure All Activities Go Through Change Management

  • Ensure that approval, deployment, and verification processes are known, normalized, and followed consistently
  • Implement controls and processes to detect non-compliant and out-of-process changes
  • Establish defined consequences and “tone at the top”
  • All changes must be authorized
  • Demonstrate that “the only acceptable number of unauthorized changes is zero”
  • Even emergency changes must follow a process (they can have lightweight documentation, but ‘none’ is not acceptable)

Want more info on this topic?

OK, so those don’t sound all that sexy, right?  I know – but these things work – and there is data to back that up.  If you want more detail on these things, check out “Visible Ops Security,” from the IT Process Institute and get more information on the studies behind this at the ITPI web site.

By the way,  if you’re looking for products to help you with Security Configuration Management (SCM), system hardening, continuous monitoring of system state, change management process enforcement, and things like that I encourage you to check out what my company Tripwire has to offer – we are leaders in that sort of thing.

So… here’s my prediction:

I predict the organizations who do the things in the list above will be better off in 2012, no matter what threats emerge.

And those organizations who don’t do these things will help drive the predictions for 2013, which will look an awful lot like my list at the beginning of this post.