The gospel of a deperimeterized approach to security apparently hasn’t reached the congregation of every IT/security department, asserted Dwayne Melançon, vice president of products for Tripwire. He said that many organizations continue to spend copious amounts of money securing their perimeter defenses first while delaying controls for business-critical data.
Yet, ironically, Melançon believes that many data breaches are the result of what he calls poor IT security hygiene, whereby organizations fail to harden their systems or have them improperly configured before a breach occurs.
“When you look at the data surrounding many breaches, most of them are the result of people taking advantage of poorly hardened or misconfigured systems”, he noted. “Either organizations take a heavy-handed approach and try to apply hardening equally across the whole infrastructure, or they start down that path and realize it’s a ton of work, and they back off and never get around to it.”
The Tripwire VP says that prudent IT departments should pick their battles when it comes to network configuration hardening initiatives. What Melançon advocates is for a “top-down risk-based analysis” that identifies the systems that are most critical to the business and applying rigorous hardening to those systems. This way, he added, organizations will not become overwhelmed by the overall network hardening process.
Tripwire recently expanded its VIA platform, which Melançon describes as a platform that integrates configuration controls. “We find that it’s easy to get lost in the noise if you don’t have something to help you filter it out”, he observed when speaking about conventional network anomaly detection, configuration, and perimeter security. “We are giving people a way to filter all of the suspicious events based on things like state changes and configuration weaknesses.”
When it comes to mitigating threats by political hacktivist groups like Anonymous and LulzSec, Melançon recommends that organizations continuously monitor their systems for changes to accounts and privileges.
Another pointer he put forth: “anchor systems to a security standard”. Melançon recommended the CIS (Center for Internet Security) benchmarks, because they cover a wide variety of platforms and have been thoroughly vetted by the security industry.
“If you can anchor your systems to a hardened configuration, then you’re less likely to have people [penetrate your systems] with malicious intent”, he asserted.
Melançon also recommended monitoring the server stack for “changes in state” to defend against those who may have successfully compromised a network’s perimeter defenses.
Nevertheless, the Tripwire executive reiterated that a data-centric approach is also an important component to any network security plan. The organization’s most business -critical data, what he calls the “soft core”, should be prioritized and properly defended.
While you can’t entirely ignore perimeter security when viewed as part of an overall good IT security hygiene approach, Melançon recommended immediately addressing the security of an organization’s soft-core data.
“If you do a risk ranking, the first step is to keep the obvious bad guys out", he shared. "The second step is to make sure that you have good controls around your soft core. Then you start looking at adjacent systems.”