The new year is on the here and you're putting together the goals and objectives for your network security team. The number of data breaches during the past year have finally caught the attention of your company's board of directors and executive decision makers. Resources have always been tight, but this year there is an allocation to secure the company's networks. It would appear that the years of cajoling and pleading for resources finally have an ear. Now what?
Identify the Low-Hanging Fruit
The desired outcome is to have a 100-percent secure and 100-percent available network. Resources will be limited, so knocking out these quick wins that provide immediate return on investment will help security management ensure resources will continue to be available for security-specific tasks.
What points should the network security team emphasize? If you are starting from zero knowledge, a good first step is to determine who and what is connecting to your network.
A review of the current network logs and company logistics records will give you an idea of the number of items connected to your network. These may include company-purchased mobile devices (tablets, smartphones, and items with IP addresses), and those items found in the data center. If you have a BYOD integration process, then you will also find the devices that employees are attaching to your network.
Once you've completed your nose count, you can determine if the devices, including those in the BYOD category, are in compliance with both the company information security policies and government regulations. In the process, you may discover that you have devices connected to your network that don't belong.
Vendor Management and Third-Party Access?
For those businesses that have vendor and/or third-party entities reaching their network with staff-like access, it is prudent to verify that security protocols and processes required of staff are also required of the third party. Items to check for include the infamous sneaker-net, where one login is used and information is then downloaded and walked across the "air gap" from your company network to the third-party entity's network. You need only look to the third-party POS breaches at Target and Home Depot to see the extent to which data was compromised. Assuming the attestations of well-intentioned implementations, without verification, may garner you a ticket to the data breach party. If formal audit and compliance (to the contractual obligations) inspections are not a part of the contract language, it may behoove you to have your contracting and legal team review to affect an adjustment.
If you leave these three areas unattended—identifying the low-hanging fruit, understanding your endpoints and the constituency that compromises your endpoints, and ensuring those third parties and vendors accessing your systems are held to the same security standards—and your network will resemble the proverbial sieve. But if you take the time and energy to lock them down, then you will have completed the first steps toward securing your networks.
Food for Thought
For additional food for thought on network security, let's go back to the 2014 RSA Conference. Jon Oltsik (principal analyst, Enterprise Strategy Group) moderated "Network Security Smackdown: Which Technologies Will Survive," a panel discussion which included Christofer Hoff (Juniper), Martin Brown (BT), and Bret Hartman (Cisco). The panel discussion traversed a number of network security areas of interest, including knowing what is what within your own network. The presentation is available for viewing via the RSA Conference video channel.
Key takeaways from this panel include: That technologies may evolve, advance, and be rendered obsolete, but the issues involved in securing one's network remain constant; and network intelligence is voluminous and drives the use of automated decision making. That said, it's possible that the amount of data available can overwhelm automated decision making (e.g. too many false positives). Who would wish to have a "kill session" command issued during a critical process due to a false positive? The human element remains a key (and critical) component in the network security continuum.