This article is part of a continuing series on the “Jargon Free Security Model.” Part I introduced the model and presented the overview. I developed this model as a Director of Information Security (“DIS”) to communicate with highly intelligent and experienced executives unfamiliar with Security Jargon.
What is Visibility?
The first element of the Jargon Free Security Model is “Visibility.” In the context of the model, Visibility’s critical question is, “How much do you know about the environment?”
Visibility includes the following activities, and this is only a partial list:
Asset Management: What systems/and software are present in your environment? How effectively and accurately do we track these systems?
Vulnerability scanning and tracking: Are our systems up to date with patches and securely configured? Can we continuously and accurately monitor their state?
Network Traffic Analysis: Do we understand the data that flows on our network? Do we have Visibility into our internal network flow control devices, such as switches or firewalls? Can we identify “bad” or “suspicious” traffic?
Entitlement monitoring and tracking: Do we know what access users require? Can we verify that the “least privilege principle” is being followed? Do we know that the administrators grant access privileges for legitimate business reasons and withdraw them when they are no longer required?
Event Monitoring and Reporting: Are we able to view or process events generated by systems or software?
Software and system documentation: Are in-house applications fully documented? Is there a reliable record of how they work, and are potential design vulnerabilities known and recorded?
Visibility is the foundation of all other security capabilities
Visibility is the first, foundational element in the model because it is impossible to manage what cannot be measured. Besides putting out large and urgent fires, improving Visibility into the environment should be the first task of a new CISO or DIS.
The first step in applying the model is to document what capabilities you have and identify gaps. I will discuss the details of the metrics we used in a later article, but you can start with some basic questions.
How are assets tracked today? Are you lucky enough to have some automation in place, or is everything in a spreadsheet, or worse, in the head of a senior engineer. Be creative and pragmatic — you don’t necessarily need to implement a new infrastructure. If you have a virtualized or cloud-hosted assets, the existing operational management tools can provide you with a great deal of this information.
How are vulnerabilities identified and tracked today? Can you match up the asset inventory with the vulnerability list to confirm you’re covering everything?
How effectively can you monitor network protection? When you ask for details, are you handed a 200-page printout of the firewall ruleset? Do you have the tools to watch for suspicious activity on the network?
For entitlement monitoring, start with simple, fundamental questions: “How many people have administrative access in AD or on their local machines, and why was the access granted?” Privileged Access Management is a large and complicated subject, and you’ll never achieve perfection, but you can always benefit from “quick wins”.
Event monitoring and reporting is another area where you can deploy very advanced tools to achieve exceptional results. All companies can benefit significantly from a simple, competent execution of the basics. Where are your essential data resources? Who is attempting to access them, and when? Some simple log filtering will allow you to identify the developer trying to browse the HR share or track down whomever the hell is trying to look at the financial spreadsheets at 2 AM Sunday?
The “Visibility” dimension highlights the benefits of the Jargon-Free Security Model. From the CFO to a VP of business development, every executive stakeholder can understand why it’s crucial to be able to visualize and monitor the health and security of the environment.