The primary driver of organizational security is risk-mitigation. Risk can result in loss of data, and reputation. The remediation and non-compliance penalties can also be very high.
Since data loss is at the heart of security and this data is managed by applications, all security conversations should begin with the type of data an organization keeps and the applications/users privileged to access this data. Most organizational data falls into four categories. 1. Employee data 2. Customer data and or Supplier data 3. Financial data 4. Intellectual property). The three key security requirements - CIA (Confidentiality, Integrity, Availability) can then be applied to this data to quantify risk and financial loss to the organization.
We make sure we regularly discover and include all assets that need to be protected. In today's ever-changing ecosystem, it is very easy to leave out cloud-based SaaS services or new assets introduced into the ecosystem.
Each and every individual in the organization who is given the privilege to use or manage IT resources has the responsibility of protecting those assets. This specifically includes all members of the IT staff (admins) who are the custodians of Applications, Databases, Servers, Networks, Endpoints and Users. The organization can schedule Security Awareness Training to ensure all users understand the security dimension of their responsibilities.
The IT system administrators are responsible for FCAPS (Fault mgmt., Configuration mgmt., Accounting mgmt., Performance mgmt. and Security mgmt.). A key tool to monitor security activity of an asset are the log files created by that asset. Reviewing logs to keep track of what's going on with an asset is the primary responsibility of an asset owner which most of them have no time to fulfil. It is also a requirement to archive these logs (untampered) for future forensic use. Most organizations use SIEM tools (QRadar) to achieve this objective. Identifying which logs to archive or monitor and which ones to ignore is an important first step toward this objective.
The principal of separation of duties requires security staff to be different from asset administrators, operators, developers and managers.
Different Tools and Vendors can lull you into a false sense of security by monitoring a subset of the total assets that need to be protected. Identifying all assets that need to be protected and prioritizing what needs to be secured first is the primary responsibility of the Security Officer. A vendor agnostic dashboard that aggregates all assets, tools, users and notifications is required to provide Security officers a top down vendor-agnostic perspective of the ecosystem they are responsible for protecting. QRadar applies built-in rules to logs and flows ingested from the monitored assets to generate Offenses. These rules requiring tuning to minimize false positives. Including asset owners in the tuning process reduces offenses and subsequently workload of the Security Officer. Sharing offenses with asset owners keeps them aware of the state of security of their assets and reduces load on the Security staff and the time to deal with them.
QRadar applies built-in rules to logs and flows ingested from the monitored assets to generate Offenses. These rules requiring tuning to minimize false positives. Including asset owners in the tuning process reduces offenses (workload) of the Security Officer. Sharing offenses with asset owners keeps them aware of the state of their assets and reduces load on the Security staff and the time to ...