Security is all the rage today. Supply Chain attacks, Ransomware, Data Exfiltration, it is all in the news pretty consistently. We as security practitioners have a tough job. We know there is no such thing as being 100% secure so we make our best effort at securing and detecting. We also realize that detection and reducing dwell time is huge, so we ask for more people, more tools, more money, and it seems that execs are listening. Reports show that security is high on execs minds. So if you are a small to medium business why can’t you detect better? We all know that there is a bottleneck somewhere, and I am becoming more and more convinced it is not at the higher levels. It is more a division of duties and departmental struggle.
If your company from a security and IT perspective is designed well, accounts have only as much privilege as they need. A person in security should not have Domain Admin rights as an example. A person in the security department also should not be in charge of configuring endpoints, but should be working with the other IT departments to deploy such technology. So if you want to configure and deploy say Sysmon, the security people should get everything set for deployment and then pass it to the proper department to deploy. Here is where a bottleneck can come in that we do not think of initially.
Using Sysmon and collection of the data from it as an example, since Sysmon is a quality, free and popular product, how are other IT departments possibly the bottleneck in deployment? We, as security engineers, should be able to pass a set of install packages and configurations to the IT team for them to deploy. They just need to deploy it, but wait. How swamped and understaffed is that IT department? Have they bought into the need to deploy this? Do they have time to test on their standard configurations? Then you need to think about what SIEM is the data going into? Who owns that product? Does it actually fall under Security’s budget, or is it under ITs and where under ITs? Is there going to be an increase in cost because of more data coming through (This is one spot where SIEMs fail us is in the pricing of ingestion)? Will this kill their budget? Is there going to be a fight over this that will leave IT less likely to work with us in the future? Who is going to support this new addition to the systems? Do they need training? What is the cost of training and how long will that last? Will it cut into time for their day to day job requirements? Is there a different, more business critical project going on that will cause this to be put on the back burner?
It is easy to point fingers and lay blame, but are security departments doing their due diligence on the whole situation, or are we creating yet another problem. Yes it gets frustrating to us when we know something we see as a simple, no-brainer can’t be implemented. Yes it does blind us when the tools that we got buy in from the execs on are stuck in limbo and not as effective as they could be. Are we though bringing the other teams to the table, just like we want to be brought to the table when they are bringing in/developing/deploying new technology, or is it do as I say not as I do?
Security is something we need buy in from all aspects of our organizations, not just the Executives. Are we sure that the bottleneck is not IT, or even us and how we treat others?
Leave a Reply