Home > InfoSec > Ari Proposes a Solution

Ari Proposes a Solution

We’ve been reading Ari Tamman’s article on endpoint
regulatory compliance. This week Ari wraps it up with some actionable
suggestions.

Ari
writes: A practical solution to address this problem needs to provide full
visibility to user activity and incorrect configurations that may introduce
potential threats into an organization’s network.

The
drivers to budget for a solution like this include:

  • Endpoints within the corporate network are not normally monitored for activity beyond their initial access to the network
  • Users are able to install and use unauthorized applications, more specifically potentially dangerous peer-2-peer applications, devices and services that are forbidden.
  • Increased number of security breaches originating from within the corporate network
  • Users have more freedom inside their networks with access to business critical systems

[SH:
I think the first two are the really powerful drivers. So far, most security directors have been
powerless to control endpoints, resorting to a complex cocktail of Websense,
Citrix, BindView and Safend.]

Any
one of these issues has the potential to cause a major security breach. Many senior company figures [SH: Does Ari
mean “executives?”] minimize the importance of these threats citing the
probability of such a security breach being unlikely. However, the issue today is not just if a
security breach will occur (which is certainly more likely to happen than is
perceived) but also whether any of these threats will render a company’s
information systems non-compliant with regulatory bodies.

[SH:
Ari is forgetting the most likely situation. Most executives prefer to remain oblivious to security threats,
reminding us of the ancient Zen question, “does a hack cost us money if we
don’t know about it?”]

There
are many solutions available today that claim to address regulatory compliance
in one form or another, however, when it comes to the endpoints within a
corporate network, the functionality offered needs to be comprehensive. A solution that controls and prevents memory
devices from being used with a PC is only addressing one aspect of endpoint
security, that of data leakage. Even in
this instance of device control, data can be transmitted in a number of ways
other than via portable memory devices; hence the solution provided is limited
even in its own category of security. For a solution to be considered comprehensive in the endpoint compliancy
space it has to cover all aspects of activity that may run on those endpoints
and be able to remediate problems found.

This
should include:

Ø Attachable memory devices

Ø Modems

Ø Activated wireless cards or
secondary Network Interface Cards (NICs),

Ø Applications

Ø Processes

Ø Start-up commands

Ø Services and even browser toolbars
that have the ability to install small pieces of code onto an endpoint.

 [SH:
Sounds like Ari is making a case for collaboration between Promisec and IBM who
just acquired compliance superstar Consul www.consul.com.]

Without
addressing all of these categories, holes will still remain in the endpoint
security infrastructure making it easy for an endpoint to fall out of
compliance.Further
to the type of threats that the solution needs to identify and eliminate, it
needs to be easy to use and by many regulatory standards completely independent
to existing security systems. The reason
for independence is to eliminate any influence or reliance on other resources
for the product to work so that even if other security systems go down this product
will still provide information and identify the systems that are
unavailable. This should include the
availability of security agents deployed on the workstations inspected as well. A comprehensive solution means that if an
anti-virus client, or any other security agent, is disabled the problem can be
identified and repaired quickly to minimize the non-compliance of a particular
endpoint. Being able to address all of
the afore mentioned issues in a timely manner gives a company a much needed
endpoint risk management solution to keep its internal network from falling out
of compliance. Readers should bear in
mind that this type of solution should complement the existing security
infrastructure and not necessarily replace or interfere with the operational
status quo.

[SH:
is this a dig at Cisco NAC?]

Providing
this in-depth visibility of user activity to security administrators
dramatically increases the level of protection they can provide to their
organizations maintaining regulatory compliance across the entire company.

[SH: Pretty convincing, Ari. Nicely done.]

Advertisements
Categories: InfoSec
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: