Information Security Policy: You Can Write It, But Can You Afford to Enforce It?
An information security policy is a foundation of any security program. According to Gartner’s Rob McMillan, “if you can’t translate your requirements into an effective policy, you have little hope of your requirements being met.”1 Information security policies include a broad range of directives, from email and personal computer access and acceptable use of Internet and social media to password protection and use of mobile phones, as well as “clean desk” policies that ensure no one leaves sensitive materials on their physical desk, and the list goes on (For examples of security policies, see dozens of policy templates offered by the SANS institute). Let us take it one step forward—say you have finished writing your policy and it is approved. How are you going to enforce it? Today’s corporate attitude and information technology (IT) environment normally allows Bring Your Own Device. When tech-savvy employees use many devices and applications to access corporate and non-corporate data on the Internet, it is impossible to “lock down” an employee’s environment. Employees will do what they do, and security teams need to have a way to catch offenders and prevent noncompliant behavior.
It is somewhat similar to traffic laws—there is a strict speed limit on the roads, but the police cannot physically “lock down” the speed on people’s cars. It is understood that people will drive as fast as they want. But they must be aware of the speed limit and know that, if they exceed that limit, the police can catch them.
What is Needed to Enforce a Security Policy?
The absolute minimum required to enforce a security policy, is to know that a violation is taking place. Assuming that, in many cases, users can, and will, violate the policy—many times out of ignorance or carelessness and not malicious intent—and your security team needs to be alerted. Users need to know that non-compliant behavior is monitored.
An example is, if your policy states that employees cannot visit certain types of websites or cannot use certain types of applications at work, you need to have a way to monitor employee behavior online and receive alerts when they visit a disapproved site. Users need to know that surfing is monitored, and that will cause them to be more careful online. Just like speed cameras along the highway will cause drivers to drive slower.
For that to happen, you need to utilize:
- Technology (software and/or hardware) able to monitor, alert, and report on the security issue you have stated in your policy.
- Personnel who can effectively use that technology and respond to violations of the policy to prevent damage to the company
Security Tools and the Flood of Alerts
Most companies today deploy numerous security tools—anti-virus software, firewalls, intrusion prevention systems, distributed denial-of-service (DDoS) mitigation systems, network and server monitoring tools, log aggregation tools, and more. These tools are instrumental in enforcing security policies, because they can help monitor and prevent policy violations. Indeed, most security tools generate a lot of data and send out alerts about what they deem anomalous conditions.
As a result, security teams are inundated by information. They receive hundreds, if not thousands, of alerts every day. To pinpoint the real violations of security policies that might cause damage, it is necessary to “sort the wheat from the chaff.” Only one of hundreds of alerts will be truly significant, and the process of sifting through the alerts to discover real issues is expensive.
In fact, a recent Ponemon Institute study found that, on average, only 29% of security alerts are actually handled by security staff, and the rest cannot be reviewed due to lack of time and resources. This leads to a vicious cycle:
Total Cost of Security Policy Enforcement
For every item you add to a security policy, the organization will incur the following costs:
- Purchasing tools to monitor, alert, and prevent violations
- Time spent managing the tools
- Time spent reviewing alerts generated by the tools
Over time, the last two items will be much more expensive than the first, because they are an ongoing operating expense.
Why is this important? Because if you create a security policy but the organization cannot afford to enforce it over time, the policy will not prove meaningful.
Investment in Tools vs. Investment in Efficiency
As we saw above, investing money in additional security tools can actually have the opposite effect of what we intend—reducing an organization’s ability to enforce security policies. How can we support security staff and improve its ability to enforce a security policy?
The answer is a technology or process that can reduce the number of alerts or help security staff process them in a more efficient way. If you are involved in drafting and enforcing a security policy, you should know if your organization has such a technology or process in place, because it will greatly impact the enforceability of the policy.
According to Gartner, Security Information, and Event Management (SIEM) technology “supports threat detection and security incident response through the real-time collection and historical analysis of security events…The core capabilities of SIEM technology are a broad scope of event collection and the ability to correlate and analyze events across disparate sources.”
SIEMs aggregate data from many different sources into one place and correlate them with meaningful security events that need investigation by security staff. SIEMs can notify security teams by sending alerts of their own (a much lower quantity of highly meaningful alerts, compared to the tools SIEM aggregates) and presents data on shared dashboards. SIEMs can also retain historic data to enable investigation of security events and provide readily available data for forensic analysis. All these capabilities can help security teams deal with alerts more easily and, thus, increase enforceability of security policies.
Ixia ThreatARMOR™: Blocking Irrelevant or Dangerous Communications
At Ixia, we have developed an innovative security tool, ThreatARMOR, which can help alleviate this burden. ThreatARMOR is complementary to SIEM, and they are often used together. It takes a different approach to the same problem: reducing the number of security alerts before they ever reach an aggregation or threat intelligence tool.
ThreatARMOR can automatically block a large portion of network communication demonstrated to be unwanted or dangerous to your organization. ThreatARMOR is equipped with a constantly-updated database of 100% verified bad Internet Protocol (IP) addresses. For example, the IP address of a server that hosts malware or the IP of a server that performs drive-by downloads of malicious software or is part of a botnet command and control. Using this database of millions of known bad IP addresses, ThreatARMOR stops unwanted traffic from ever entering the network. Removing this obviously problematic traffic causes a dramatic reduction in the number of security alerts triggered by the same security tools.
In a similar fashion, ThreatARMOR can also block categories of undesired traffic, such as traffic from countries in which you do not do business, dramatically reducing the number of alerts. This is another way to improve the enforceability of information security policies—a smaller number of alerts is much easier to handle, helping security teams enforce security policies more easily and with fewer resources.
If you do not have a tool in place that can help reduce security alerts, share ThreatARMOR with your colleagues in traditional operations or security operations.
1. Susan Moore, “Mitigate Risk with an Effective Security Policy,” October 1, 2015, sourced from: http://www.gartner.com/smarterwithgartner/mitigate-risk-with-an-effective-security-policy/
2. Ponemon Institute, “The State of Malware Detection & Prevention,” March 16, 2016, sourced from: http://www.ponemon.org/blog/the-state-of-malware-detection-prevention