Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
5/17/2018
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Boosting Security Effectiveness with 'Adjuvants'

How integrating corporate resources like the IT help desk, system administration, quality assurance and HR can breathe new life into your security program.

In medical treatment there is a concept of an "adjuvant" — an agent that enhances the effect of other agents. It’s not the cure, but it helps the cure be more effective. Adjuvants are added to medicines to enhance their responses and lengthen their effect. We can use this same concept for security work.

How does this work? Security already taps other departments to help with an organization’s security mission. It’s time we recognize that a strong performance by these folks can be a force multiplier. For example, personnel in QA, the IT Help desk, IT Operations, and Human Resources are already pre-approved to do security work. What you need to do is reinforce and extol their efforts. Yes, they will probably do an adequate job without help, but it’s to your advantage to invest in these adjuvants to be more effective and influential in their security work.

What Can a Security Adjuvant Do?
The key is to have adjuvants breathe life into your security controls, so they become integrated into the organizational culture. In many ways, they act as part of the security team to ensure that security policy and process is followed. Because adjuvants are not part of the security team, they have a unique perspective that straddles both security and business goals. When security processes fail, security adjuvants can help diagnose problems. They are also able to double-check that security processes are working as intended—that is, even if the process is being followed, is it meeting the goal? Because of this unique perspective, they can also help bridge the gap between aspiration (the policy) and the execution (the reality).

Enough with the theory, let’s look at how security adjuvants work, beginning with one of the humblest but most essential roles in IT.

IT Help desk
The IT help desk is the front line for security. As the single point of contact for users, it’s the first place they turn to with questions and complaints. Therefore, security needs to provide the help desk with a clear process to follow and open communication paths to resolve questions. The help desk needs a fast escalation path to security to ensure developing situations are spotted early and contained. You want to know right away if a phish has been clicked or a malware outbreak is in progress.

System Administration
The sysadmins are likely to have more knowledge about specific attacks, vulnerabilities, and technical controls than some on the security team. Since sysadmins work with the firewalls, authentication servers, security logs, and encryption systems, they can give expertise to the security team. I’ve always considered it the security team’s job to provide tools and guidelines to help the sysadmins. Sysadmins are also able to give good feedback on why a proposed security change may negatively affect operational stability. They are also often aware when something doesn’t look right, either in a suspicious log entry or how a system is behaving. These are the times when you want sysadmins to be very willing to consult with Security to help in the investigation.

Quality Assurance
The Quality Assurance (QA) team is a great ally for security. Not only do they find the bugs that can lead to security vulnerabilities, they can also frame the fixes in a broader context of improved product quality. Often security holes are dismissed as the security team crying that the sky is falling. When QA flags them, vulnerabilities can be tied to customer experience. This means that QA teams should have a strong understanding of the application threat models. They should also be provided with a method of testing security vulnerabilities, either directly by demonstration or indirectly from test scripts that can be integrated into the test suites.

Human Resources
Outside the technical areas, Human Resources (HR) often is involved in security matters. When new employees are on-boarded, security needs to make sure these employees are educated on security policies and procedures. HR often can help facilitate both policy sign-off and security awareness directly themselves. Since maintaining a close tie to current employees and authorized user accounts is a key security measure, HR needs to integrate processes with IT or Security to ensure new employees get user accounts, and departing employees have their accounts disabled. When there are involuntary terminations, security needs to be in the loop to ensure all credentials are cut off at once. When severe security policy violations occur, HR also needs to work with security to ensure proper documentation and sanctions are applied.

Empowering and Investing in the Security Adjuvants
Partnering with your security adjuvants means more than just assigning them security responsibilities. It means answering their calls and emails in a timely manner, attending some of their meetings, listening to their needs, and providing customized training and documentation for them. This not only helps them do their security work but more importantly, it sends them a message that you’re invested in helping them succeed. You’re sending a message that everyone is working together to improve security. This extra effort with the adjuvants also gives Security a chance to communicate their goals and knowledge of threats on an ongoing basis.

Having committed, capable individuals outside of the security team is a potent adjuvant to help a security program succeed. Another future role for security adjuvants is to recruit them into the security department. Remember, security is a team effort and savvy CISOs should look beyond their own department for assistance.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
printable1
50%
50%
printable1,
User Rank: Apprentice
11/5/2018 | 3:04:04 AM
november 2018 calendar
I totally agree with you.
printable1
50%
50%
printable1,
User Rank: Apprentice
11/5/2018 | 3:03:15 AM
2019 calendar

Security Adjuvant Concept?How does this work?


 
enhayden1321
50%
50%
enhayden1321,
User Rank: Strategist
11/3/2018 | 2:30:18 PM
Excellent Thought Piece!
Well done, Mr. Pompon, on this article!  You are "dead on" when it comes to including the other players of the enterprise into the security response.  This also demonstrates to the other departments that they are important to security and vice versa.  Thanks! 
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19326
PUBLISHED: 2018-11-17
Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd.
CVE-2018-19274
PUBLISHED: 2018-11-17
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
CVE-2018-19324
PUBLISHED: 2018-11-17
kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI.
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...