The Case for Fast and Agile Information Security
I interact with information security managers all the time. I have built a healthy respect for almost all of them in the course of my interactions with them. Information security managers generally have a sound strategy that includes all the “classic” components such as information valuation and labeling, controls evaluation, vulnerability management, and more. At the same time, however, I have developed a deep concern over a too commonly observed weakness in information security practices—a lack of speed and agility. Advanced persistent threats (APTs) are a constant threat to our data and information processing resources. The threat climate is constantly changing, but I fear that many information security practices (including the one I used to manage!) are not quickly and flexibly adapting their security defenses accordingly.
Information security policy is an area in which I am confident that better speed and agility is generally needed. In many information security practices the information security policy becomes a legacy document in the matter of months. In everyone’s defense, the information security manager typically has so many fires to fight that revisiting issues such as whether an information security policy in which so much effort has been invested might need to be updated is the last thing on this person’s mind. But this document needs to be viewed as a living and breathing document that sets the tone for an organization’s security posture and that addresses the organization’s threat profile. If either changes, the policy should change accordingly and it should change sooner, not later.
Zero-day vulnerabilities have become commonplace. If exploited, many of them result in high levels of risk. Yet vulnerability management programs generally (and for good reasons) tend to be cyclical. There is always a next round of patches that must wait to be installed until the designated date. The problem here is when a critical vulnerability is actively and widely being exploited. In this case out-of- cycle patches are usually the right solution, even though negative effects on operations are likely to occur. Today’s attackers are just too successful to wait patiently for patches for such vulnerabilities are installed. This is the kind of speed and agility that I am advocating.
Another area in which speed and agility are greatly needed is incident response. Something that I have observed in this area is a tendency to react to a reported incident without first carefully looking for signs of the same symptoms of the incident (e.g., exploitation of a particular vulnerability) through an organization’s network. There will always be a desire to immediately put out the fire, so to speak, but having the agility to invest the time and effort to determine how widespread an incident might be has become a necessary activity in information security today.
Our opponents, the computer criminal community and international espionage agents in particular, are fast and agile. Their speed and agility are two of the chief reasons that they are so successful. Those of us who are information security managers must thus match their speed and agility if we are going to be successful in defending our information and computing resources against their attacks. We are taught that information security involves a cycle of activities, and I believe that we are being taught correctly. At the same time, however, we need to be flexible enough to be able to do whatever is needed whenever it is needed. The day of the “Maginot Line” is far behind us. Let’s move forward with speed and agility and this also means that we need to develop, measure and use metrics that are related to speed and agility as part of our set of key goal indicators.