One of Tenable's advisors, Gene Kim, CTO of Tripwire and lead researcher of the IT Process Institute's "IT Controls Benchmark Survey", was recently interviewed by Richard Stiennon about how IT Controls not only help run networks more efficiently, but how they can make a network more secure.
The survey lasted several years and included input from 98 organizations. A focus of the survey was measuring metrics such as "change success rates", "percent of unplanned work", "projects completed", "managed applications", "server to admin ratios" and so on. Each organization was also interviewed to see which IT controls they had implemented. Based, on the results of the metrics, each organization was assigned into a "high performer", "medium performer" or "low performer" group. For example, a "high performer" on average had a "server to system admin" ratio which was 2.5 times greater than a "medium performer" and 5.4 times greater than a "low performer".
In other words, they had a lot more efficiency. The study attempted successfully to correlate the premiss that an organization that implemented IT Controls was better off than another one which didn't. The report focuses on which controls are the most effective at maintaining an efficeint network. However, the report also found some very significant differences in the security posture of a "high performer" as compared to a "low performer". These included:
- only 1/5th of intrusions turned into a loss event such as bad publicity or financial loss
- detection of the intrusion was with automated controls, as compared to something like a customer calling in with a complaint
- mean time to detect was minutes and for low performers, the detection time was measured in days and weeks
Another finding of the research was that all "high performers" had two controls implemented that none of the "low performers" had. These were:
- a process to monitor for unauthorized change
- defined consequences for intentional un-authorized change
Both of these are deterrents for system administrators, developers and end-users from making changes to their systems, applications and networks.
If you are a Tenable customer, our products can help look for many types of changes which occur on your network.
- The Security Center automatically can generate an email of any new vulnerabilities which have occurred between two successive active Nessus scans.
- The Passive Vulnerability Scanner can monitor network traffic for evidence of new systems and applications 24x7 with no impact.
- The Log Correlation Engine can look for evidence of changes to users, systems and network devices, as well as also parse logs from change detection software such as the PVS and Tripwire.
- The Log Correlation Engine can also alert if there is unauthorized activity outside of an official change management window.
There are many forms of IT controls. One of them is ITIL which stands for the IT Infrstructure Library. This library is very comprehensive. A very popular "best practices" guide named the "Visible Ops Handbook" has helped many organizations understand how ITIL can be implemented. Tenable has written a white paper named the "Network Security Implications of Visible Ops". This paper examines how active network scanning, passive network monitoring and log analysis can all be used to look for unauthorized change.
Tenable has also written an extensive paper which covers COBIT and ISO 17799 IT controls monitoring. This paper is named "Real Time Compliance Monitoring" and is available to existing Tenable customers and qualified potential customers. Please email [email protected] if you are interested in this paper.