Page 120 - Security Today, July/August 2021
P. 120
tiae of each team member’s actions. That way, when there is a crisis, they are ready.
At the same time, this planning is not just for crisis situations. It is also to ensure a team sticks to decided-upon protocols and actions for everyday security management. What is the workflow for making soft- ware upgrades? For software updates? How does the team add new users and give them access to specific applications and information?
Plan out what normal activity looks like, as well as what abnormal activity looks like. That way it’s clear when something is abnormal and malicious. Reviewing plans on a regular basis is just as important. One needs to ensure everything is up-to-date, make any needed adjustments and update the process plans and workflows to make sure they’re current. This is money and time well spent, as it helps when an incident happens to get out of reactive mode into proac- tively solving the issue.
Planning out the workflow and playbook for each action for the entire organization, and then relying upon those detailed plans is the only way to ensure the campus is operating at peak efficiency (impor- tant with a small amount of staff) and that it’s ready for any eventuality.
Policies. A part of this requires strong, consistent definitions for security incidents at the core of planning and preparation activities.
It is up to the security team to decide upon the proper alert work- flow, and when an incident or anomaly needs to be flagged to the team. Deciding exactly what’s dangerous, what’s interesting and what’s not is critical to success (and the sanity of the team).
An organization can’t set its tolerance too high, or they’ll end up letting all sorts of malware, malicious code and ransomware into their system; and if the tolerance is too low the team will constantly be chasing down false positives and ghosts. The problem is never getting too many or too few alerts – it’s most often the lack of planning and discussion at the start, or a lack of consistency in approach and defi- nition of what is normal and what is not.
All new elements introduced to the environment need proper action plans around what is expected and what would be an abnormal behavior. Be sure to test all new software out beforehand, in order to make sure it will roll out and go live as expected, as no one likes sur- prises. It’s hard to think of a single example where a security surprise ended in a promotion.
Having already had the right conversations and made the right plans to effectively react when an incident happens is crucial. This is even more critical to get right with leaner teams that are wearing many hats.
Preparation. Without a strong workflow and the right preparation in place, all the automation or advanced tools in the world won’t help. Teams and people need to work together. Events affect everyone in the organization. To operate correctly, a team needs to be prepared well, and know how to instinctively play their roles.
With plans and policies in place, teams need to rehearse critical events and see where there might be issues to correct in their work- flows and planned responses. Was something missed? Better to find it now, before it’s too late.
Being prepared also means that having the proper security controls and tools in place to enable everyone in the team to do their jobs effec- tively each day. This means having full visibility, being able to inspect items of interest, and knowing when (and how) to act on what one finds.
Visibility. It is critically important to operations - especially in the campus situation where there are likely fewer resources and over- worked staff - to ensure active visibility into the network and applica- tions. It’s only possible to protect what can be seen.
With pervasive network visibility in place, it’s possible to see the entire environment and manage all its assets. It is important to have the ability to monitor normal, legitimate network traffic and activity,
"A good peer network enables someone to get responses from others that have seen it all before. It’s also a great opportunity to become involved and share expertise with others."
allowing a view of the network when it is performing the way it is intended to. That also enables setting the stage for what is considered abnormal, or at least out of the ordinary, making it easier to identify and address potential issues before they become full-on emergencies.
Controls. Every security organization needs to build some basic controls that will allow them to control the blast radius, i.e., to handle the extent of the damage if the campus network and/or applications face a cyberattack.
There are different types of controls - some are simply brute force- type controls, shutting down everything for a moment of time while it is determined what the problem is and how to stop it. Alternatively, there are controls that combine network visibility with specifics to surgically control an application or a machine (or more) to isolate and shut down just the problem areas. Both are effective (and often needed) options to have available.
This also serves as a reminder to make sure that the proper controls are in place to manage day-to-day security operations, not just when there is a crisis. Is it possible to see across applications, identify and act upon anomalies? Is the system set up so that only those that should have access do, and are the only ones allowed to make changes?
Make sure that controls behave the same across the entire environ- ment. There should be a consistent operational security and control set, regardless of whether operations are on-premise, hybrid or fully in the cloud. Be sure that settings have been checked and rechecked to prevent a missed checkbox from unintentionally causing problems.
Lastly, remember to not have only a single administrator account active. Credential management is an issue, sure, but it is more impor- tant to be protected in case there’s an issue and it’s not possible to access the main account anymore. Credential management program suites can be a friend. Employ unique credentials and use the pro- grams to help.
Compliance and certification. Be sure to have a solid certificate management program running that can help make sure the organiza- tion knows where applications are from - and that they are who they say they are (signed, and from trusted publishers). Without that, at the very least make sure there is a technical signature trail, and know what each does, who has authority to publish, who has permissions, where they are running. That will be critical information if there is an issue.
Compliance is also important to factor into the security makeup. Many campuses contain research facilities - and many have a deep set of data and security compliance requirements in order to receive funding from a government or private sector investment, while oth- ers demand a certain level of data and information protection. In many cases, colleges and universities with these requirements find themselves using this high-level of security as the starting point for determining what needs to be invested in and rolled-out campus wide. Remember not to make this be the final consideration when reviewing your security needs.
Future-proofing Your Security
Technologies and an institution’s need to provide and support them change rapidly, such as in 2020 with the rapid, immediate need to
Network Security
28 campuslifesecurity.com | JULY/AUGUST 2021