Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
5/17/2018
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Boosting Security Effectiveness with 'Adjuvants'

How integrating corporate resources like the IT help desk, system administration, quality assurance and HR can breathe new life into your security program.

In medical treatment there is a concept of an "adjuvant" — an agent that enhances the effect of other agents. It’s not the cure, but it helps the cure be more effective. Adjuvants are added to medicines to enhance their responses and lengthen their effect. We can use this same concept for security work.

How does this work? Security already taps other departments to help with an organization’s security mission. It’s time we recognize that a strong performance by these folks can be a force multiplier. For example, personnel in QA, the IT Help desk, IT Operations, and Human Resources are already pre-approved to do security work. What you need to do is reinforce and extol their efforts. Yes, they will probably do an adequate job without help, but it’s to your advantage to invest in these adjuvants to be more effective and influential in their security work.

What Can a Security Adjuvant Do?
The key is to have adjuvants breathe life into your security controls, so they become integrated into the organizational culture. In many ways, they act as part of the security team to ensure that security policy and process is followed. Because adjuvants are not part of the security team, they have a unique perspective that straddles both security and business goals. When security processes fail, security adjuvants can help diagnose problems. They are also able to double-check that security processes are working as intended—that is, even if the process is being followed, is it meeting the goal? Because of this unique perspective, they can also help bridge the gap between aspiration (the policy) and the execution (the reality).

Enough with the theory, let’s look at how security adjuvants work, beginning with one of the humblest but most essential roles in IT.

IT Help desk
The IT help desk is the front line for security. As the single point of contact for users, it’s the first place they turn to with questions and complaints. Therefore, security needs to provide the help desk with a clear process to follow and open communication paths to resolve questions. The help desk needs a fast escalation path to security to ensure developing situations are spotted early and contained. You want to know right away if a phish has been clicked or a malware outbreak is in progress.

System Administration
The sysadmins are likely to have more knowledge about specific attacks, vulnerabilities, and technical controls than some on the security team. Since sysadmins work with the firewalls, authentication servers, security logs, and encryption systems, they can give expertise to the security team. I’ve always considered it the security team’s job to provide tools and guidelines to help the sysadmins. Sysadmins are also able to give good feedback on why a proposed security change may negatively affect operational stability. They are also often aware when something doesn’t look right, either in a suspicious log entry or how a system is behaving. These are the times when you want sysadmins to be very willing to consult with Security to help in the investigation.

Quality Assurance
The Quality Assurance (QA) team is a great ally for security. Not only do they find the bugs that can lead to security vulnerabilities, they can also frame the fixes in a broader context of improved product quality. Often security holes are dismissed as the security team crying that the sky is falling. When QA flags them, vulnerabilities can be tied to customer experience. This means that QA teams should have a strong understanding of the application threat models. They should also be provided with a method of testing security vulnerabilities, either directly by demonstration or indirectly from test scripts that can be integrated into the test suites.

Human Resources
Outside the technical areas, Human Resources (HR) often is involved in security matters. When new employees are on-boarded, security needs to make sure these employees are educated on security policies and procedures. HR often can help facilitate both policy sign-off and security awareness directly themselves. Since maintaining a close tie to current employees and authorized user accounts is a key security measure, HR needs to integrate processes with IT or Security to ensure new employees get user accounts, and departing employees have their accounts disabled. When there are involuntary terminations, security needs to be in the loop to ensure all credentials are cut off at once. When severe security policy violations occur, HR also needs to work with security to ensure proper documentation and sanctions are applied.

Empowering and Investing in the Security Adjuvants
Partnering with your security adjuvants means more than just assigning them security responsibilities. It means answering their calls and emails in a timely manner, attending some of their meetings, listening to their needs, and providing customized training and documentation for them. This not only helps them do their security work but more importantly, it sends them a message that you’re invested in helping them succeed. You’re sending a message that everyone is working together to improve security. This extra effort with the adjuvants also gives Security a chance to communicate their goals and knowledge of threats on an ongoing basis.

Having committed, capable individuals outside of the security team is a potent adjuvant to help a security program succeed. Another future role for security adjuvants is to recruit them into the security department. Remember, security is a team effort and savvy CISOs should look beyond their own department for assistance.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
celldwellertribe
50%
50%
celldwellertribe,
User Rank: Apprentice
3/20/2019 | 1:58:41 AM
Re: Excellent Thought Piece!
Thanks for sharing such a piece of great information with us. Your Post is very unique and all information is reliable for new readers. Keep it up in future, thanks for sharing such a useful post.

 
printable1
50%
50%
printable1,
User Rank: Apprentice
11/5/2018 | 3:04:04 AM
november 2018 calendar
I totally agree with you.
printable1
50%
50%
printable1,
User Rank: Apprentice
11/5/2018 | 3:03:15 AM
2019 calendar

Security Adjuvant Concept?How does this work?


 
enhayden1321
50%
50%
enhayden1321,
User Rank: Strategist
11/3/2018 | 2:30:18 PM
Excellent Thought Piece!
Well done, Mr. Pompon, on this article!  You are "dead on" when it comes to including the other players of the enterprise into the security response.  This also demonstrates to the other departments that they are important to security and vice versa.  Thanks! 
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.