Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
5/17/2018
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Boosting Security Effectiveness with 'Adjuvants'

How integrating corporate resources like the IT help desk, system administration, quality assurance and HR can breathe new life into your security program.

In medical treatment there is a concept of an "adjuvant" — an agent that enhances the effect of other agents. It’s not the cure, but it helps the cure be more effective. Adjuvants are added to medicines to enhance their responses and lengthen their effect. We can use this same concept for security work.

How does this work? Security already taps other departments to help with an organization’s security mission. It’s time we recognize that a strong performance by these folks can be a force multiplier. For example, personnel in QA, the IT Help desk, IT Operations, and Human Resources are already pre-approved to do security work. What you need to do is reinforce and extol their efforts. Yes, they will probably do an adequate job without help, but it’s to your advantage to invest in these adjuvants to be more effective and influential in their security work.

What Can a Security Adjuvant Do?
The key is to have adjuvants breathe life into your security controls, so they become integrated into the organizational culture. In many ways, they act as part of the security team to ensure that security policy and process is followed. Because adjuvants are not part of the security team, they have a unique perspective that straddles both security and business goals. When security processes fail, security adjuvants can help diagnose problems. They are also able to double-check that security processes are working as intended—that is, even if the process is being followed, is it meeting the goal? Because of this unique perspective, they can also help bridge the gap between aspiration (the policy) and the execution (the reality).

Enough with the theory, let’s look at how security adjuvants work, beginning with one of the humblest but most essential roles in IT.

IT Help desk
The IT help desk is the front line for security. As the single point of contact for users, it’s the first place they turn to with questions and complaints. Therefore, security needs to provide the help desk with a clear process to follow and open communication paths to resolve questions. The help desk needs a fast escalation path to security to ensure developing situations are spotted early and contained. You want to know right away if a phish has been clicked or a malware outbreak is in progress.

System Administration
The sysadmins are likely to have more knowledge about specific attacks, vulnerabilities, and technical controls than some on the security team. Since sysadmins work with the firewalls, authentication servers, security logs, and encryption systems, they can give expertise to the security team. I’ve always considered it the security team’s job to provide tools and guidelines to help the sysadmins. Sysadmins are also able to give good feedback on why a proposed security change may negatively affect operational stability. They are also often aware when something doesn’t look right, either in a suspicious log entry or how a system is behaving. These are the times when you want sysadmins to be very willing to consult with Security to help in the investigation.

Quality Assurance
The Quality Assurance (QA) team is a great ally for security. Not only do they find the bugs that can lead to security vulnerabilities, they can also frame the fixes in a broader context of improved product quality. Often security holes are dismissed as the security team crying that the sky is falling. When QA flags them, vulnerabilities can be tied to customer experience. This means that QA teams should have a strong understanding of the application threat models. They should also be provided with a method of testing security vulnerabilities, either directly by demonstration or indirectly from test scripts that can be integrated into the test suites.

Human Resources
Outside the technical areas, Human Resources (HR) often is involved in security matters. When new employees are on-boarded, security needs to make sure these employees are educated on security policies and procedures. HR often can help facilitate both policy sign-off and security awareness directly themselves. Since maintaining a close tie to current employees and authorized user accounts is a key security measure, HR needs to integrate processes with IT or Security to ensure new employees get user accounts, and departing employees have their accounts disabled. When there are involuntary terminations, security needs to be in the loop to ensure all credentials are cut off at once. When severe security policy violations occur, HR also needs to work with security to ensure proper documentation and sanctions are applied.

Empowering and Investing in the Security Adjuvants
Partnering with your security adjuvants means more than just assigning them security responsibilities. It means answering their calls and emails in a timely manner, attending some of their meetings, listening to their needs, and providing customized training and documentation for them. This not only helps them do their security work but more importantly, it sends them a message that you’re invested in helping them succeed. You’re sending a message that everyone is working together to improve security. This extra effort with the adjuvants also gives Security a chance to communicate their goals and knowledge of threats on an ongoing basis.

Having committed, capable individuals outside of the security team is a potent adjuvant to help a security program succeed. Another future role for security adjuvants is to recruit them into the security department. Remember, security is a team effort and savvy CISOs should look beyond their own department for assistance.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
celldwellertribe
50%
50%
celldwellertribe,
User Rank: Apprentice
3/20/2019 | 1:58:41 AM
Re: Excellent Thought Piece!
Thanks for sharing such a piece of great information with us. Your Post is very unique and all information is reliable for new readers. Keep it up in future, thanks for sharing such a useful post.

 
printable1
50%
50%
printable1,
User Rank: Apprentice
11/5/2018 | 3:04:04 AM
november 2018 calendar
I totally agree with you.
printable1
50%
50%
printable1,
User Rank: Apprentice
11/5/2018 | 3:03:15 AM
2019 calendar

Security Adjuvant Concept?How does this work?


 
enhayden1321
50%
50%
enhayden1321,
User Rank: Strategist
11/3/2018 | 2:30:18 PM
Excellent Thought Piece!
Well done, Mr. Pompon, on this article!  You are "dead on" when it comes to including the other players of the enterprise into the security response.  This also demonstrates to the other departments that they are important to security and vice versa.  Thanks! 
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10102
PUBLISHED: 2019-07-22
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: ne...
CVE-2019-10102
PUBLISHED: 2019-07-22
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
CVE-2019-10102
PUBLISHED: 2019-07-22
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections ...
CVE-2019-9959
PUBLISHED: 2019-07-22
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
CVE-2019-4236
PUBLISHED: 2019-07-22
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to ...