Operational IT and Security – Breaking the Siloed Approach
Due to the ever-increasing cyber security risk, many organizations are employing security teams, with the goal of defining security policies and detecting and remediating security risks. In addition, most organizations also employ IT operations teams, with the objective of making the business productive, and yes, applying the security policies as dictated by the security teams.
It’s common for security teams to choose their own security tools, independent of the tools used by IT operations. However, in my opinion, the security teams in too many organizations aren’t aware of how tools used by IT can help them do their job more efficiently. Employing IT tools for security tasks help organizations improve their security posture and remediate security risks more efficiently and with less interruption to the end-user workflow—helping keep our users happy.
Three Use-Case Scenarios
Let me share few scenarios where working together, leveraging common IT tools, may help the security team be more efficient.
Scenario #1: Discovery
Let’s start with the basics: discovery, or in other words, determining what you have in your network.
Without question, discovery is the most important security requirement. CIS ranks hardware discovery and software discovery as the No. 1 and No. 2 things any organization must do in order to establish an efficient security posture. The logic is very simple: You can’t protect (or defend against) what you don’t know you have in your environment. However, from a pure IT operations perspective, discovery is also crucial because you can’t manage what you don’t know you have.
The discovery component—a core part of a mature endpoint management solution—offers a highly efficient discovery method that works great both for IT and security needs. Furthermore, since discovery is the core component of an advanced endpoint management solution that is currently used by IT, there’s a good chance that the IT team already has a good understanding of all managed and unmanaged devices.
Most IT discovery components use the standard NMAP protocol to scan the network for assets, but the advanced ones add a “passive” layer that allows near real-time detection of new hardware connecting to the network, using passive technologies like ARP sniffing. Those advanced discovery methods map the network for managed and unmanaged devices. The IT team can use network mapping to push management agents to unmanaged devices, and the security team can use it to get an up-to-date map of all devices in the network, whether they are managed or not.
Scenario #2: Advanced Discovery
Not only do advanced discovery solutions used by IT discover hardware, they can also provide a detailed software inventory. This is important for IT management, but security teams can also leverage this data—for example, in their query for machines that don’t comply with security policies based on their configuration, don’t have their antivirus running, don’t have an up-to-date antivirus solution, or aren’t fully patched.
Scenario #3: Remediation
Most customers I speak with tell me that in most cases, when they detect suspicious behavior on one of their endpoints, they will remove the endpoint from the network by disconnecting the internet cable or blocking it on the router. The logic is very simple. Once the machine is removed from the network it can’t infect other machines on the network.
However, such an approach creates another challenge where the customer must then physically find the user of the machine (which may be in another office) and then take the machine to the lab to run forensics. In most cases the machine is then just reimaged and returned to the user.
This strikes me as a cumbersome and ineffective process that could be handled much more quickly and productively with the help of modern IT tools. They provide the option to isolate a machine from the network remotely, allowing only IT to connect to it. IT can remove the machine from the network without the need to physically disconnect cords or mess with routing tables.
The greatest remediation advantage however is this: While the machine is isolated from the network, security personnel can run any software or script on those machines, IT can reimage it remotely, and software can be reinstalled automatically after the machine is reimaged. Those actions can also be automated. When the antivirus software detects malware on a machine, the IT tools can isolate the machine from the network automatically and run software or a script to further analyze the risk. Then, IT can remote control to this machine to further diagnose or reimage the box.
There are a few security products that can isolate a machine from the network remotely. Most remediation actions, however, are done using IT tools—remote control, file management, reimaging, etc. Using IT tools to achieve the goal allows a faster, more efficient, and more effective way of remediating the security risk from both an IT operations perspective (reimaging, backup, etc.) and a security perspective (forensics, cleaning, etc.).
Eran Livne is a product manager at Ivanti, helping to bring IT security solutions to market. He was a co-founder and vice president of LetMobile, where he invented, designed, and nurtured the mobile security solution from an idea to production supporting thousands of users. Eran graduated in Computer Science from Tel Aviv University and earned an MBA from Technion – Israel Institute of Technology.