Despite the accepted wisdom of the often-used quotation from Alphonse Karr ‘The more things change, the more they stay the same’, Alphonse obviously didn’t know much about cybersecurity.
Every single breach starts with a change, or the need for a change. Changes are both the enemy and the ally of cybersecurity, but in both cases, it is absolutely not the case that security is unaffected by change. Changes to IT systems are not just inevitable but near incessant in every organization: patches are routinely required to address vulnerabilities while business-as-usual improvements to IT services means that nothing stays still for long.
Every change made carries a risk of inadvertently weakening security, making it a ‘stick or twist’ gamble in the quest for improved IT. Even intentional changes serve to create ‘change noise’ that makes it easier for breach activity to hide in plain sight. Put simply, if you don’t know what and when is expected to change, how can you ever expect to expose tell-tale indicators of compromise?
Little wonder then that, despite year on year increases in security product investment, the number of reported breaches still continues to increase.
It’s not all bad news. The IT Process Institute benchmarked ITSM and cybersecurity performance of over 850 organizations. They found that ‘91% of all security breaches were auto-detected when release, change and configuration management controls were implemented’. Two immediate conclusions can be drawn:
- Simply spending more money on the latest darling product from the security industry is unlikely to reduce the incidence of breaches
- If you are good at change control, you will be significantly more secure
You may be thinking ‘Tell me something I didn’t already know’ because of course, change control and integrity monitoring aren’t new ideas. In fact, every single security best practice guideline, from the CIA Triad to the CIS Security Controls Framework places these foundational controls at their core.
The real problem is that, historically, both controls have not been easy to operate effectively. The consequence is that many security professionals fall off the wagon of best practice and give in to the addiction of buying the latest security gadget, year, after year.
Alert fatigue, change noise and the difficulty of reviewing and reconciling changes identified within a formal change management process have served to leave many losing their nerve when it comes to proven security best practices.
So the real problem with security is not so much finding out what will make us secure – we already know the answers from our compliance frameworks – but the need for a joined-up strategy for ITSM and security, and crucially, one that can be readily operated by any organization.
The new discipline of SecureOps binds security and change management processes together and is made possible through three key innovations to address the known issues:
- Integration: Tight alignment of the ITSM change management function with an accurate and forensic system integrity monitoring capability. This way, as change activity is forecast and scheduled, the actual resulting changes can be reconciled in a closed-loop change control process.
- Focus: Real-time detection operated with file reputation and other threat intelligence analysis enables an automated categorization of changes. This not only suppresses ‘change noise’ (everyday changes to systems such as scheduled patching must still be reported and is a major weakness of first generation FIM tools), but better still serves to prioritize focus on the remaining minority of unplanned, unexpected changes. Change noise has a lot to answer for and needs to be eliminated to give a clear picture of ‘are we under attack?’
- Automation: With planned changes correlated with change requests and change noise filtered out, this leaves unplanned changes to be managed via the ITSM incident workflow. Incidents can be created automatically and augmented with context such as who made the change. The vision for ITSM leaders such as ServiceNow is that security incidents are presented with all available security intelligence collated automatically in order to shortcut the investigation and remediation processes.
With mean time to detection for security breaches still averaging 190 days, the SecureOps approach offers a means to revolutionize the effectiveness of security controls for any organization, reducing times to detection and for remediation. It offers a way to operate IT services which are more secure, more of the time.
For too long in the IT Security world, the industry has promised change but things have stayed the same. New products and technologies have still resulted in an inexorable increase in reported breaches. SecureOps allows us to break the cycle: IT systems can be changed, improved and updated as much as needed while the thing that really matters, the integrity of our secure systems, can be kept the same. Maybe Alphonse Karr was onto something all along?