It is generally understood that IT departments are expected to do more with less. The benefits of automation that have improved efficiency in other business areas should be applied to IT operations as well—there is a "physician, heal thyself"‐type of expectation. An underlying assumption here is that one does not necessarily need to purchase new technology to improve operational efficiency – changes in operations and business practices can help as well. One place you can start to find operational efficiencies is with security operations. There are two broad areas in which security operations can be made more cost effective—proper allocation of staff and by automating key security management tasks.
Experienced IT staff are hard to find, difficult to retain, and easy to overwhelm with rudimentary tasks. Take for example, the following hypothetical scenario. Suppose a senior sales executive returns from a business trip with a malware‐infected laptop. The laptop is connected to the corporate network infrequently and so has not received recent patches and antivirus updates. He connects his laptop to the corporate network and checks his email. Within minutes, the malware detects the network connection and spreads to other devices, including devices recently reimaged using a 3‐month‐old operating system (OS) image. The updated antivirus software on several workstations detects the malware, quarantines it, and notifies users, who call the service desk to report a problem. At that point, the service desk manager decides to escalate the issue and requests assistance from a senior security professional to isolate and eliminate the root cause of the problem.
In some ways, this problem is rather mundane—viruses are commonplace and remediating a minor infection should not require the attention of more senior personnel. The most sophisticated and virulent forms of malware can be difficult to detect and remove, but lesser forms such as the one described here could have been handled more effectively if
The problem in this scenario is multifaceted. Yes, the laptop that infected the network should have been better protected, but the bigger issue is that the security management strategy of the organization should have been better focused on preventive measures. Top security talent in an organization is needed to formulate strategies, address critical security issues, and collaborate with other IT staff to maintain the security of systems and data. To allow them to function in these capacities, you need to reduce the burden of rudimentary tasks through more effective automation.
Figure 1: A number of potential threats can be addressed by improving operations management and implementing policybased controls.
Proper security management can reduce the burden of performing basic but essential tasks. Several areas in particular can help IT and security staff avoid timeconsuming tasks:
Consolidating these tasks, for example, within a single network appliance, can further enhance efficiencies.
One of the challenges with multiple applications distributed over many servers running a number of different OSs is ensuring proper enforcement of user and application authorizations. Organizations may have a range in the number of users at any point in time, starting with tens of users that grow into hundreds of users and possibly into the thousands. Fortunately, these users can often be clustered into groups with common functional requirements and similar access control rules. This combination of growing numbers of users forcing more efficient access control management and the ability to formulate a smaller number of distinct sets of rules governing their access combine to promote centralized policy administration.
Centralized policy administration uses group‐based policies to adapt to the needs of specific types of users while maintaining consistent policies within those groups.
This is done with a combination of policy management building blocks:
Policies, events, and tasks are relatively high‐level generic constructs but are sufficiently broad to allow network and systems managers to control processes and respond to changes in dynamic environments.
Let's face it, network security is installed at mission critical points within the network. However, we make security decisions independent of what is really going on in the network. Fore warned is fore armed. This adage holds for network and security management. With sufficient network monitoring, administrators can collect baseline data on their network operations that helps to understand typical behavior on the network. Detailed information about network performance and load can help with several management tasks:
Collecting data on network events and traffic must be coupled with effective reporting mechanisms to realize the full potential of this data. Security must be scoped in light of the realities of the network. Not just on what the administrators think is going on. For example, are rogue wireless access points connected to the network? Are unwanted network services running on application servers? Data collection should be generalized enough that data about unanticipated services and network traffic are captured along with expected data. Understanding the different protocols and how the firewall is handling them is also important to ensure proper capacity planning.
Reporting on network performance serves at least three distinct purposes:
Asset and configuration management practices can improve security and reduce operation overhead at the same time. The basic principle is that to effectively manage a network, you must understand what devices and applications are on it and keep those devices up to date. Improving security depends on having constant monitoring that will help you identify vulnerable devices.
Operations on devices, such as backups, should be applied consistently across groups of devices as well. This reduces ad hoc management and improves conformance with operations policies. Of course, these principles apply to security devices as well.
Operations management and security management are closely inter‐twined. The better the operational management, the more IT resources can be dedicated for challenging security problems. Several areas of operation management are especially important to improving security, including policy administration support, granular network monitoring and statistics gathering, reporting and support for asset and configuration management. By implementing sound and effective operations management, you can reduce demands on security professionals to assist with mundane tasks and instead leverage their expertise for more challenging demands.