I recently wrote a two-part series of articles for Dark Reading on the technical and organizational challenges that make patching hard in large organizations like Equifax. The same types of issues factor into the recent rash of AWS S3 Bucket breaches I examined in a prior Secplicity blog post. In each of these scenarios, someone in the organization is responsible for updating a script or software that affects the security of the company’s data. In each case, the work may boil down to the actions of a single individual, but stepping back to view the larger picture may bring other organizational issues to light that impact the security of systems at a company on a broader scale.
How can companies solve these problems related to configuration and patching more effectively? I am reminded of a quote from Louis V. Gerstner, Jr. in his book Who Says Elephants Can’t Dance? The book is an account of IBM’s turnaround which he led from April 1993 to March 2002. Gerstner writes about how he solved problems by creating transparency around what people were doing and if they were doing it effectively.
| People do what you inspect, not what you expect. |
Although some accounts of this turnaround shine a negative light on the personal gain of the CEO over employee well-being, the fact is the company was in decline and still exists today possibly in part due to his actions. Implementing processes and controls that provide transparency and tracking makes problems visible. Once problems are visible, companies can find a solution to fix them. Companies need to understand what software employees are installing on systems, especially those that host or have access to critical data. Some form of inventory and process for updating these systems needs to exist. The term for this type of tracking and control is called Configuration Management.
The problem with old-school methodologies of security and configuration management was that they slowed companies down to the point of not being able to be competitive in the marketplace. Security reviews and a small team of experts allowed to make security-related changes eventually caused so many delays to projects that the pendulum swung the other way. Companies threw off the shackles of process and controls to move towards agile, DevOps, and other forms of managing projects and operational tasks to operate like hip startups throwing new applications up overnight into the cloud.
In this move to innovative processes, companies need to be careful not to throw out the baby with the bath water. For companies moving applications to the cloud, a platform like AWS provides an opportunity for some do-overs in the way companies manage security and configurations. I explore deployment strategies that take competing interests into account in a paper I wrote for SANS called Balancing Security and Innovation with Event Driven Automation. The paper also addresses the issue with after-the-fact scanning such as was used by Equifax, versus a system that inspects software in advance of deployment.
If you happen to be going to AWS re:Invent this year, Amazon’s largest annual conference, there are many sessions on how to automate security and compliance. I’ll be presenting in the community day track on a related topic if you would like to join us: DVC304 – Compliance and Top Security Threats in the Cloud – Are You Protected? If you didn’t sign up for re:Invent in time, the good news is that all these sessions will likely be posted online in video format after the event.
What if your company is not running applications on a cloud platform? Although you’ll have to build a lot of the automation and tools yourself that a cloud platform like AWS provides, all the principles used in the cloud to automate security can technically be implemented in a non-cloud environment as well. Implementing systems and processes to inventory systems and software to know which applications may require patches or are running non-compliant configurations with security problems can be achieved in any environment. Automation — implemented by people who understand security – can help analyze systems more quickly and prevent human error.
Configuration management on every device in an environment from phones to IOT to printers to networking equipment may prove to be overwhelming and challenging. Companies should start with the assets that are most valuable and most damaging to the business if stolen or destroyed. Network, patching, and deployment rules can be most stringent around systems that hold or have access to critical data. Configuration management and deployment systems are an important part of organizational security and companies should invest adequate resources to ensure they have visibility into software and configurations in their environments and can quickly fix security problems when they are identified. — Teri Radichel (@teriradichel)