SecureOps™ combines established best practices for security and IT service management to deliver a holistic and comprehensive solution that identifies and highlights unknown, unwanted and potentially malicious events in real-time…without all the NOISE and headaches of endless alerts.
This strategy is underpinned by NNT’s knowledge of the essential common controls that overlap to support and achieve business objectives from two different vantage points. This approach creates the security foundation and a solution to eliminate security breaches and incidents as we know them today.
LD - NNT talk about SecureOps as being a revolutionary approach to solving the problem of Cyber Security but can you summarize what the term means?
MK - SecureOps™ combines the essential, foundational security controls and best practices with the operational discipline of change management, powered by the innovation of change control, pioneered by NNT. By ensuring that the essential security controls are in place, combined with the ability to validate all changes, organizations can prevent and protect against cyber-attack while improving IT Service Delivery quality.
MPK - Put another way, SecureOps allows you to Control change, and by doing so, you are always maintaining a minimized attack surface which is the best way to prevent attacks and to expose breach activity if and when it does happen.
LD – So the key differentiator of SecureOps is that it links security best practice to IT Service Management processes. Why is that important?
MK – Traditional change management takes the position that there shouldn’t be any change to an IT system without a proper business justification. If it aint broke, don’t fix it – and if there isn’t a tangible benefit to outweigh the natural risk of any IT system change then the change shouldn’t be progressed. Security requires even more stringent checks and balances on changes being made for two key reasons. One is that changes to configuration settings – be it installation of software, new ports being opened and any change to system and configuration files – may adversely affect the attack surface of a system. The more functionality a system has enabled, the more opportunity there is for misuse or abuse, and it’s the route of all exploitable vulnerabilities. The second reason is simple in that, if you don’t know when safe, legitimate changes are being made, how would you ever know that a system had been breached?
MPK – And one obvious way to distinguish between good changes and bad changes is to correlate observed changes with the Planned Change schedule – if there are changes planned and approved in the ITSM system then we can leverage this as a factor in determining that changes are expected. NNT have taken this way further in that we will also conduct automatic analysis of the changes to verify that changes have been implemented accurately and as intended. We also have an integrated threat intelligence feed to verify that file changes are whitelisted – our FAST Cloud service utilizes scan data and crowd-sourced file reputation scores to confirm new files are known safe or otherwise.
LD – OK so I can see that SecureOps is all about bringing integration and automation to link ITSM and Security processes, and I can see the value in this for maintaining a minimized attack surface and for breach detection, but are there other dimensions to SecureOps?
MK – Absolutely! Preventative security is clearly a key objective and SecureOps delivers huge value in this area too. It’s worth pointing out that everything we do is squarely in-line with the CIS Controls which are the acknowledged ‘go to’ paint-by-numbers guide for security best practice. So SecureOps incorporates asset discovery and a vulnerability management program, as well as system hardening in line with the CIS Benchmarks for a vast range of platforms, devices and applications. We mix network-based active scanning for vulnerabilities as well as real-time monitoring for system and configuration file changes.
MPK – One of the key failings in traditional security programs is that they lack Change Control. The standard approach for most organizations is that they run a monthly or quarterly vulnerability scan, then they patch to remediate vulnerabilities. But then a whole month or longer elapses before the next scan is run, which means in between times, configurations can drift and the attack surface expands. And of course, a vulnerability scanner is completely blind to breach activity which is why the mean to time discover a breach is still up around 190 days according the Verizon Data Breach Investigation report. Change control addresses these failings directly by tracking all change, including breach activity. Operated properly under SecureOps means that the attack surface can be maintained at a consistently secure level, with any indicators of compromise exposed immediately. It works!
LD – So SecureOps is as much about preventing a cyber-attack as making sure that a breach can be isolated? What about scale? This sounds great if you have a small and well-managed IT estate, but what about a globally sprawling IT Enterprise with hundreds of thousands of systems?
MK – NNT have worked really hard to ensure that SecureOps scales and it’s one of our key strengths, in fact we always invite any prospective client to work through their potential scale-up scenarios so that they can be comfortable with how our architecture will grow with them. We also know that many other alternative security products wont scale as easily or cost-effectively as us.
MPK – One of the traditional issues with any security monitoring technology is the false positive, aka alert fatigue or change noise. SecureOps is fully armed to handle change noise and it does it super-effectively, which is critical if you have a large estate with lots of change but you are trying to detect tiny levels of stealthy breach activity that is trying to remain hidden. There are three main elements to it, one is FAST Cloud and one is the ITSM integration that we covered earlier. The final element is the concept of Intelligent Change Control. All changes are automatically analyzed as they are reported and compared to previously observed ‘normal’ patterns of behavior to determine if they are pre-approved. For example, when patches are rolled out, you see repeated common patterns of changes as patches are installed. With Intelligent Change Control we only need to review and approve the activity as safe once, on one device only. Thereafter any further occurrences of the same activity can be automatically recognized as the approved patch, and this can even be done retrospectively to re-examine historical activity, so you don’t even need to be that organized! This is designed to help isolate breach activity and unapproved change, not layer up even more bureaucracy!
LD – That all makes a lot of sense, thanks for taking the time to talk about Cyber Security, change control and SecureOps