Now that the dust has settled on this news story and the facts are bit clearer, it is worthwhile to take a look what happened and what lesson we can learn. Clearly, a lot of facts were collected and known about the perpetrator: His father talked to the US Embassy in Nigeria, his visa to UK was revoked, he booked a one-way ticket with cash. All these indicators were available before the terror suspect boarded the airplane. While these facts were processed by different security analysts, nobody connected them in time before the plane took off.
Similarly, IT security posture is made out of many separate controls and corresponding data clusters such as firewall configurations, host vulnerability scan reports, compliance reports generated by IT-GRC systems, CMDB reports and more. Just like in the terror attack:
(1) All these data clusters are available before any cyber attack occurs
(2) the challenge is not to collect the data – most organization already collect more data than can ever be processed by humans. It’s how to summarize and share it among multiple IT organizations such as Network Operations, IT Administration, Security Operations, Compliance, and more.
These organization often have separate objectives. Network Operations is mostly concerned about availability of business-critical services, IT administration is focused on server provisioning, Security Operations often is running a SOC focusing on reacting to emerging attacks under way, and Security Oversight has to engage with all these organizations.
For example, a new server might be provisioned by the IT Admin team. If that server is in the same subnet as other Internet servers, it might be immediately visible from the outside, even if it is not fully configured yet. This only becomes apparent after the server change is made known to firewall administrators. Before this, new risk has been created even though nothing changed in the network.
To control risk, a CISO and his team have to create a process where new relevant facts (like provisioning a new server) are shared with, analyzed by and acted on by all affected IT organizations. Otherwise, they are relying on the same sort of luck that thankfully prevented a disaster on Christmas day.
Next post: IT Silos, Revisited
