Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Has Security Ops Outlived Its Purpose?
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
3/16/2015 | 4:50:58 AM
General security auditors and penetration testers are needed for proactive security tasks
It's hard to make judgment based on just the two attacks, against Target and Sony.  i did not find sufficient information about those attacks to make a comment about them.   I reviewed common causes for large swathes of attacks, and what specialists could have prevented those attacks.  Those attacks could have been prevented long before the log watching stage.

Reading news articles about huge data breaches in the past few years, it is easy to panic and wonder what can be done, if anything.   Now that we security professionals have your (the executive board) attention, we repeat what we have been saying.  There is a clear path to much greater security.  That path includes hiring specialists who follow well-defined and highly effective security methodologies, ones developed by organizations such as Open Web Application Security Project (OWASP) and SANS security training and research.

The pattern of failures is also clear:  there have been basic problems, easily detected by professionals with the right skill sets.  They need to be utilized to periodically check and remediate simple issues, ones which could lead to great financial loss.

Information security auditors, penetration testers, web application security specialists are needed.

They are needed in the right place, in more proactive positions.  They will audit the systems to find the many basic flaws determined as a cause of these data breaches.  Applications developed need strong initial and ongoing security auditing and penetration testing.  Another common theme I see from security professional comments relating to the data leaks specifically is that more data needs to be encrypted.  This requires auditing of all systems to look for unencrypted data, and provide encryption tools and education to users on how to take advantage of it.

The following describes three areas found to be causing most of the problems, and the security specializations required to detect and manage remediation.

1. Security Misconfigurations

Of the attacks which we know crucial details based on media reports, one example are the large number of recent bank attacks.  The attackers knew the target systems did not have Microsoft Office properly patched.  This was one glaring misconfiguration with a relatively simple resolution to prevent occurrence.

Security misconfigurations are listed by the  Open Web Application Security Project (OWASP) as #5 in the top 10 security concerns in their most recent report (2013).

This prevention requires a security auditor / penetration tester to detect it, and an effective means to mandate proper configuration procedures be set up such as automatic updates on all relevant systems.

2. Injections
A second example is the the large group of successful attacks against retailers.   SecurityWeek/Eduard Kovacs states in an article called '61 Million Retail Records Lost in 2014: IBM', that IBM reported "...most of the retail attacks observed by IBM in 2014 leveraged command or SQL injections."

Injections are listed by the Open Web Application Security Project (OWASP) as #1 in the top 10 security concerns in their most recent report (2013).

Accepted countermeasures for command/SQL injection, according to Open Web Application Security Project (OWASP), security application during the design phase (optimally).   Coding with security in mind in certain functions (data input screens) is necessary.  A web application security professional needs to provide support, guidance and verification using different methods, including source code review, optimally and penetration testing.  Ongoing security audits are necessary, done by web application security auditors and penetration testers, to prevent this type of error, because applications are changing all the time, even if just a little.  See the "Injection Prevention Cheat Sheet - OWASP" for details.

3. Sensitive data exposure
Sensitive data exposure is listed by the Open Web Application Security Project (OWASP) as #6 in the top 10 security concerns in their most recent report (2013).

"Uber sued over driver data breach, adding to legal woes", NY Daily News: REUTERS Sunday, March 15, 2015, 11:03 AM; information on root cause is scant but it is said there was an unpatched vulnerability plus this one relates to compromise of an encryption key, so it also falls under Security Misconfiguration.   Application coding of password handling and storage should be reviewed by the web application security professional and security auditor. Cryptography and transport layer security should be reviewed.   Penetration testers should be used to try to find vulnerable data and exfiltrate it.  Google "Top 10 2013-A6-Sensitive Data Exposure" for details.

Summary
We need strong, periodic auditing and testing of security configurations, web applications, and all systems for vulnerable, valuable data.  These require the following:

Security auditors
Penetration testers
Web application security professionals

Detecting misconfigurations and sensitive data exposure may not require specialization.  Secure source code review may require some specialization.  However, penetration testers can look for injection vulnerabilities using special tools.  They don't need special knowledge of the underlying technology.
fsiep
100%
0%
fsiep,
User Rank: Apprentice
3/15/2015 | 12:12:43 AM
Not even fully deployed with most organizations
Reading through the article I am not sure if the article and the heading are completely aligned. The heading had me a little surprised, getting rid of Security Ops. There are many organizations that have not even rolled out a full blown security Ops/SOC solution. Would someone recommend getting rid of the NOC and the IT Operations team? The reality is that there are many aspects to security and the operational aspect is one of them. Just because everyone has a responsibility around security does not make Security Ops obsolete. Is the next thing that every architect will need to be a security architect? The reality is that technology and security problems are becoming more and more complex. A new specilization is usually the result of such developments. To expect that such specialist are also security specialist is simply unrealsitic - Yes, they should be trained in security, specific to their job and in general. However, that does not qualify them to replace security ops. Security will need to be driven from top down into the organization. Some parts will have security personnel embedded in a team, business unit, etc. but not all. However this will not replace a centralized security organization that provides core security services e.g. SOC, Vulnerbaility Scanning, etc.
TalKlein
50%
50%
TalKlein,
User Rank: Author
3/13/2015 | 5:51:40 PM
Re: The model will need to become distributed
First of all, thank you for the well thought out response. My friend Chris Hoff and I have long debated what the "right thing" is to do to "save security" and the idea of this opinion piece was to catalyze just these sort of additional perspectives. I think your proposal makes sense to large, well funded organizations for whom security is a core business pillar. However, what's needed is a something that solves for the "big problem." The reason I propose to do away with the notion of SOC is because we need a forcing function to try something new, whether it's distributed security or otherwise matters less to me than the acceptance of the fact that the status quo isn't working and we should repurpose our valuable security resources towards new ideas.
aws0513
100%
0%
aws0513,
User Rank: Ninja
3/13/2015 | 2:21:41 PM
The model will need to become distributed
In most organizations, there is usually a team of people dedicated to the security operations functions.  It is my opinion this model still needs to exist to provide a foundational framework of knowledge and decision making for the overall organization.

What will need to change is the security training and knowledge in the "field".  Each department/division/project/office/function will need security professionals that are embedded with the people doing the work.  People who can be cognizant of the business operations needs of the area they are responsible while in tune with security policies/requirements and security trends and best practices.

This is especially true of larger organizations that may have many different sub-components or facilities.  Each area of operations needs to have that separate set of eyes to help the operations managers maintain security standards and assist in oversight of operations with a security focus.  The people that function in this role would also have understanding of what is important for that business operation to function effectively.  In turn, that would make them capable of being representatives for the area they are responsible when negotiating and communicating with upper level security management.  Along with this, it will likely be necessary to have a larger workforce to help implement the robust least privilege and separation of duties controls necessary for a mature security program.

The model I describe is similar to the DODI 8570 model where every technician is expected to be a certified security professional.  Moreover, every security officer for an operational function also needs to have some kind of a security certification.

In the end, the best people to help the organization security managers implement a mature, defense in depth security program are those people who are closest to where the business activity takes place.  It will be necessary in the future for private entities to consider adopting security certification standards across a broad spectrum of their workforce.

Not going to lie...  this model is going to be challenging to develop for any organization.  The DoD struggles with this and they have been working on this problem for many years.
RyanSepe
0%
100%
RyanSepe,
User Rank: Ninja
3/13/2015 | 2:14:13 PM
Sony behind the 8-ball
One would think the massive exfiltration of credit card information from the PSN would have pushed Sony to start having a robust security program but better late than never I suppose.
<<   <   Page 2 / 2


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7734
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
CVE-2020-6564
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
CVE-2020-6565
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2020-6566
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2020-6567
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.