Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Has Security Ops Outlived Its Purpose?
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Strategist
3/16/2015 | 4:50:58 AM
General security auditors and penetration testers are needed for proactive security tasks
It's hard to make judgment based on just the two attacks, against Target and Sony.  i did not find sufficient information about those attacks to make a comment about them.   I reviewed common causes for large swathes of attacks, and what specialists could have prevented those attacks.  Those attacks could have been prevented long before the log watching stage.

Reading news articles about huge data breaches in the past few years, it is easy to panic and wonder what can be done, if anything.   Now that we security professionals have your (the executive board) attention, we repeat what we have been saying.  There is a clear path to much greater security.  That path includes hiring specialists who follow well-defined and highly effective security methodologies, ones developed by organizations such as Open Web Application Security Project (OWASP) and SANS security training and research.

The pattern of failures is also clear:  there have been basic problems, easily detected by professionals with the right skill sets.  They need to be utilized to periodically check and remediate simple issues, ones which could lead to great financial loss.

Information security auditors, penetration testers, web application security specialists are needed.

They are needed in the right place, in more proactive positions.  They will audit the systems to find the many basic flaws determined as a cause of these data breaches.  Applications developed need strong initial and ongoing security auditing and penetration testing.  Another common theme I see from security professional comments relating to the data leaks specifically is that more data needs to be encrypted.  This requires auditing of all systems to look for unencrypted data, and provide encryption tools and education to users on how to take advantage of it.

The following describes three areas found to be causing most of the problems, and the security specializations required to detect and manage remediation.

1. Security Misconfigurations

Of the attacks which we know crucial details based on media reports, one example are the large number of recent bank attacks.  The attackers knew the target systems did not have Microsoft Office properly patched.  This was one glaring misconfiguration with a relatively simple resolution to prevent occurrence.

Security misconfigurations are listed by the  Open Web Application Security Project (OWASP) as #5 in the top 10 security concerns in their most recent report (2013).

This prevention requires a security auditor / penetration tester to detect it, and an effective means to mandate proper configuration procedures be set up such as automatic updates on all relevant systems.

2. Injections
A second example is the the large group of successful attacks against retailers.   SecurityWeek/Eduard Kovacs states in an article called '61 Million Retail Records Lost in 2014: IBM', that IBM reported "...most of the retail attacks observed by IBM in 2014 leveraged command or SQL injections."

Injections are listed by the Open Web Application Security Project (OWASP) as #1 in the top 10 security concerns in their most recent report (2013).

Accepted countermeasures for command/SQL injection, according to Open Web Application Security Project (OWASP), security application during the design phase (optimally).   Coding with security in mind in certain functions (data input screens) is necessary.  A web application security professional needs to provide support, guidance and verification using different methods, including source code review, optimally and penetration testing.  Ongoing security audits are necessary, done by web application security auditors and penetration testers, to prevent this type of error, because applications are changing all the time, even if just a little.  See the "Injection Prevention Cheat Sheet - OWASP" for details.

3. Sensitive data exposure
Sensitive data exposure is listed by the Open Web Application Security Project (OWASP) as #6 in the top 10 security concerns in their most recent report (2013).

"Uber sued over driver data breach, adding to legal woes", NY Daily News: REUTERS Sunday, March 15, 2015, 11:03 AM; information on root cause is scant but it is said there was an unpatched vulnerability plus this one relates to compromise of an encryption key, so it also falls under Security Misconfiguration.   Application coding of password handling and storage should be reviewed by the web application security professional and security auditor. Cryptography and transport layer security should be reviewed.   Penetration testers should be used to try to find vulnerable data and exfiltrate it.  Google "Top 10 2013-A6-Sensitive Data Exposure" for details.

We need strong, periodic auditing and testing of security configurations, web applications, and all systems for vulnerable, valuable data.  These require the following:

Security auditors
Penetration testers
Web application security professionals

Detecting misconfigurations and sensitive data exposure may not require specialization.  Secure source code review may require some specialization.  However, penetration testers can look for injection vulnerabilities using special tools.  They don't need special knowledge of the underlying technology.
User Rank: Apprentice
3/15/2015 | 12:12:43 AM
Not even fully deployed with most organizations
Reading through the article I am not sure if the article and the heading are completely aligned. The heading had me a little surprised, getting rid of Security Ops. There are many organizations that have not even rolled out a full blown security Ops/SOC solution. Would someone recommend getting rid of the NOC and the IT Operations team? The reality is that there are many aspects to security and the operational aspect is one of them. Just because everyone has a responsibility around security does not make Security Ops obsolete. Is the next thing that every architect will need to be a security architect? The reality is that technology and security problems are becoming more and more complex. A new specilization is usually the result of such developments. To expect that such specialist are also security specialist is simply unrealsitic - Yes, they should be trained in security, specific to their job and in general. However, that does not qualify them to replace security ops. Security will need to be driven from top down into the organization. Some parts will have security personnel embedded in a team, business unit, etc. but not all. However this will not replace a centralized security organization that provides core security services e.g. SOC, Vulnerbaility Scanning, etc.
User Rank: Author
3/13/2015 | 5:51:40 PM
Re: The model will need to become distributed
First of all, thank you for the well thought out response. My friend Chris Hoff and I have long debated what the "right thing" is to do to "save security" and the idea of this opinion piece was to catalyze just these sort of additional perspectives. I think your proposal makes sense to large, well funded organizations for whom security is a core business pillar. However, what's needed is a something that solves for the "big problem." The reason I propose to do away with the notion of SOC is because we need a forcing function to try something new, whether it's distributed security or otherwise matters less to me than the acceptance of the fact that the status quo isn't working and we should repurpose our valuable security resources towards new ideas.
User Rank: Ninja
3/13/2015 | 2:21:41 PM
The model will need to become distributed
In most organizations, there is usually a team of people dedicated to the security operations functions.  It is my opinion this model still needs to exist to provide a foundational framework of knowledge and decision making for the overall organization.

What will need to change is the security training and knowledge in the "field".  Each department/division/project/office/function will need security professionals that are embedded with the people doing the work.  People who can be cognizant of the business operations needs of the area they are responsible while in tune with security policies/requirements and security trends and best practices.

This is especially true of larger organizations that may have many different sub-components or facilities.  Each area of operations needs to have that separate set of eyes to help the operations managers maintain security standards and assist in oversight of operations with a security focus.  The people that function in this role would also have understanding of what is important for that business operation to function effectively.  In turn, that would make them capable of being representatives for the area they are responsible when negotiating and communicating with upper level security management.  Along with this, it will likely be necessary to have a larger workforce to help implement the robust least privilege and separation of duties controls necessary for a mature security program.

The model I describe is similar to the DODI 8570 model where every technician is expected to be a certified security professional.  Moreover, every security officer for an operational function also needs to have some kind of a security certification.

In the end, the best people to help the organization security managers implement a mature, defense in depth security program are those people who are closest to where the business activity takes place.  It will be necessary in the future for private entities to consider adopting security certification standards across a broad spectrum of their workforce.

Not going to lie...  this model is going to be challenging to develop for any organization.  The DoD struggles with this and they have been working on this problem for many years.
User Rank: Ninja
3/13/2015 | 2:14:13 PM
Sony behind the 8-ball
One would think the massive exfiltration of credit card information from the PSN would have pushed Sony to start having a robust security program but better late than never I suppose.
<<   <   Page 2 / 2

7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...