Shifting Gears into Proactive Security

Webster’s dictionary defines being proactive as “acting in anticipation of future problems, needs, or changes”. From a security perspective this means taking the initiative to protect the organization before it’s too late. The future security problems are the loss of information and system outages due to being compromised or negligence.

So the questions to be asked are:

• Why is it important to take a proactive security approach?
• What are the challenges that we face in taking this stance?
• How do we become proactive security professionals?

The Need for Proactive Security

We have firewalls in place, but they alone do not make us secure. Having security and performing proactive security are quite different. Consider the use of an alarm system for your home. An alarm is set off once an intruder breaks into your home.  There’s a feeling of security present with the alarm, but the fact is the intruder is still able to enter your home. Now consider putting rod iron bars over all your windows. Despite being an eye-sore, these bars provide more proactive security that makes it a lot less likely that someone will be able to break into your house and steal your belongings.

Information security can be looked at the same way, but without the ugly rod iron bars. As security professionals we want to (and need to) know when someone’s attacking us, performing recon or if data is at risk of exposure – BEFORE it happens. Otherwise you’re responding to an incident after it has already occurred.

Proactive Security Obstacles

The major reason proactive security is derailed is by making changes too quickly. The corporate culture in a company needs to be understood before Info Sec swoops in and starts making sweeping changes to the way they do business. “What do you mean I can’t upload my business files to a personal Dropbox account?”, or “Why can’t I log into my system with my domain admin account?”, or “Why install an IPS if we already have an IPS?”, etc. The challenge here is not security, but the change in the corporate environment that won’t bend because they’ve always “Done it this way and never had an issue”, which by the way doesn’t mean that you’re doing it right.

Another hurdle in proactive security is getting the proper technologies and procedures in place that aren’t going to slow your production environment, because if that happens you will have a mutiny on your hands.  Putting a firewall or IPS in place that significantly slows down internet traffic to inspect each packet and causes huge amounts of latency isn’t going to work. Putting in a procedure that requires a DNA sample to get approval will also cause your program to fail in a big way.

How to Get Proactive

In order to perform proactive security you need to have visibility into your environment as well as a starting point and a vision. By knowing what you have, where you are, and where you want to be will give you a clear goal to the needs you’ll have to add to your environment. These areas could fall into the following areas:

• Baseline – Using a tool or framework to help guide you into a proactive security model is an exercise that’s greatly encouraged. Frameworks like NIST are a good starting point to help you determine your security posture and help identify the gaps for where you need to go. This phase includes a constant analysis and audit of your network.
• Technology – This is the part of proactive security where you need to start putting in systems to help assist towards your vision. If you’re looking to protect your perimeter while gaining allowing granular rules to allow users to perform their work, you might turn to a next-generation firewall (NGFW), but if you’re just looking to allow/disallow traffic this might be overkill. This doesn’t mean that throwing technology at a problem is going to magically give you security; that’s where process and procedure comes in.
• Process and Procedure – Recent research, The State of Network Security 2012, identified poor internal processes as a top network security challenge. Once you have the vision and have identified the technology you need in order to reach that goal of proactive security, the phase of process and procedure comes along. An example of process and procedure with regards to proactive security would be to have all firewall rules analyzed for a risky change before the change occurs – alleviating the pain of potentially opening up a security gap or causing a system outage.

Making sure your IT operations and security teams are aligned is key to having all three phases implemented properly. Start from the ground up with a steady dose of security awareness and build clout with other departments while you start chipping away at all areas that need assistance. There really is no choice between being reactive or proactive when it comes to a good security posture.