As a risk manager, one of your main aims is to achieve maximum-security coverage over your company’s assets. These could be critical, highly-available, or legacy assets. With the latter connected to your network, it will be difficult to achieve the above-mentioned goal. In an effort to secure these assets, you either do basic, manual security checks or just forget about them. One way or another, both approaches are expensive in the long run. In order to solve this, let’s look at a best-fit solution for reaching minimum security standards as defined through local and international, as well as organizational standards.
Firstly, you may need to perform a passive check to avoid any potential impact on the legacy systems. Secondly, you need to define those standards as security best practices, that are to be implemented going forward. Thirdly, you need to prioritize each security violation and group them based on their severity. Fourth, document the mitigation plan considering out–of-the-box mitigation. Finally, proceed with implementation with a backup or rollback plan.
The above steps may not apply in some circumstances but they do in most cases.
Let’s expand on the first and second steps. Passive check: this approach is intended to check the system’s security settings without any impact on its production. This is undertaken by security analysts, who are either in-house or outsourced, by manually navigating those settings and auditing the related configuration. The main drawback here is that you are relying on a human resource with an in-built margin of error. So there is a high possibility of them neglecting particular settings. As a result, you’re highly dependent on the analyst’s level of expertise.
The next step is to define security best practices at their minimum. While most organizations rely on vendor or supplier documents, in most cases, these do not apply fully as they do not cover local authorities’ guidelines and organizational security standards – both of which would be more restrictive. Plus, when you factor in hybrid environments with different vendors may be difficult to cover them all. As a result, companies try to establish a knowledge base of documents that address these issues but it’s difficult and time-consuming to update them all.
For the above challenges, automation and orchestration could be a valuable option. Questions raised here include: Will it be simple to use? Would it cover all the network equipment? What about legacy systems? Will it be reliable and accurate? How about false positives?
Stay tuned to discover the answers to these questions and more.
Recent Comments