I recently wrote about the necessity of getting the right data for security analytics. But I’m continuously reminded how typical organizations lack an even roughly complete understanding of their network, or even a map of it. I can understand why this happens – entropy is just as inevitable for organizations as it is in Physics. Records don’t just keep themselves – networks change, and ideally it’s all planned and well controlled, but in practice, emergencies happen, corners get rounded off, triage goes on, and perfect record keeping is lost. I know organizations who aim to have very strong processes, control, and accountability, and while I commend them for it, I find that if I look at their data, I still find enough gaps and unknowns to be a worry. Sure, the mature organizations do better – they don’t tend to have records in the moral equivalent of a shoe-box under the bed (but I see enough of those). But the records still don’t add up.
I think what worries me more are the organizations who know they have information gaps, but don’t treat them as a priority. I see this as driving a car while blindfolded. How is security possibly going to be effective if you can’t map out the infrastructure – the whole infrastructure, warts, labs, virtualization and all – and just look at it, let alone ask decent, proactive questions about how to defend yourself? Imagine physical security – for example, badge reader installation – without having a map of the building, or even a vague idea of the number of doors that need to be secured.
Of course, I’m preaching to the choir – anyone reading this blog probably already understands that this is important. I sometimes wonder if the real challenges are political, not technical or intellectual. When a security team can’t get the blueprints to the network, what exactly is going on? Is it overload? Is it lack of people to go hunt down what’s missing? Or is it the classic challenge of “nagging for a living”? Many security teams I meet don’t have direct access to the network assets that are critical to defensive posture. This means they have to ask, or beg, or cajole the NetOps team into providing data. The strength of that team-to-team relationship seems to be a really important issue. I’ve seen organizations vary hugely in speed and success with data analytics, depending on whether someone in Team Security has a buddy in Team Networking or not. Perhaps the worst cases I’ve seen involve outsourced IT and networking – then it can get to levels nothing short of passive-aggressive.
Got war stories? Advice? Rotten fruit? Comments welcome …