CISOs could always use more help, it’s as simple as that. As part of an upcoming report on protecting applications, F5 engaged Ponemon to survey security professionals. The survey found that 44% of respondents reported “lack of skilled or expert personnel” as the “main barrier to achieving a strong application security posture.” Our previous F5 and Ponemon survey, The Evolving Role of CISOs and their Importance to the Business, found that 75% of CISOs reported turf and silo issues as having a significant influence or some influence on security. Cyber-security is still an immature field, and CISOs are eager for any help they can get, both in bolstering their teams and being more effective within the organization. Some CISOs have looked at machine learning to enhance their teams. This article looks at how you can leverage the non-security members of your organization to increase Security’s reach and impact.
Security Adjuvant Concept
In medical treatment there is a concept of an “adjuvant”—an agent that enhances the effect of other agents. It’s not the cure, but it helps the cure be more effective. Adjuvants are added to medicines to enhance their responses and lengthen their effect. We can use this same concept for security work to improve detection, prevention, and response outcomes.
How does this work? Security already taps other departments to help with an organization’s security mission. It’s time we recognize that a strong performance by these folks can be a force multiplier in your defensive capability. For example, personnel in QA, the IT Helpdesk, IT Operations, and Human Resources are already pre-approved to do security work. What you need to do is reinforce and extol their efforts. Yes, they will probably do an adequate job related to security without the security team’s help, but it’s to your advantage to invest in these adjuvants to be more effective and influential in their security work.
What Can a Security Adjuvant Do?
These people can extend the reach of the security team. The key is to have them breathe life into your security controls, so they become integrated into the organizational culture. In many ways, they act as part of the security team to ensure that security policy and process is followed. Because adjuvants are not part of the security team but still work on security processes, they have a unique perspective that straddles both security and business goals. When security processes fail, security adjuvants can use that perspective to help diagnose problems. They are also in a position to double-check that security processes are working as intended—that is, even if the process is being followed, is it meeting the goal? Because of this unique perspective, they can also help bridge the gap between aspiration (the policy) and the execution (the reality).
Adjuvants in Action
Enough with the theory, let’s look at how security adjuvants provide value to the security team. We’ll begin with one of the humblest but most essential roles in IT.
The IT helpdesk is the front line for security. It’s the single point of contact for users, the first place they turn with questions and complains. Since phishing is such a looming threat, the helpdesk is also where you can expect users to turn first when they recognize a suspicious email. Or, its where they’ll turn after realizing they’ve clicked on the wrong link and their system might have become infected. When malware or DDoS breaks out, it’s the helpdesk’s phone lines that light up. When users have problems getting their two-factor token or VPN to work, the helpdesk is who they call. If a user wants to take work home or send confidential data to a colleague, they turn to the IT helpdesk to help get it done. If their laptop gets stolen, you want users to call the helpdesk right away.
All of this means that the security team needs to ensure that the helpdesk is fully trained and empowered to handle every situation. They should have a clear process to follow and open communication paths to resolve questions and ambiguities. Along those lines, the helpdesk needs a fast-response escalation path to Security to ensure developing situations are spotted early and can be contained. You want the helpdesk to let you know right away if a phish has been clicked or a malware outbreak is in progress. The helpdesk and security teams need to work hand in glove to make sure the users and endpoints remain as tight as possible.
The sysadmins are likely to have more knowledge about specific attacks, vulnerabilities, and technical controls than some of the security team. Since sysadmins work with the firewalls, authentication servers, security logs, and encryption systems, they can provide expert advice to the security team. In fact, I’ve always considered it the Security team’s job to provide tools and guidelines to help the sysadmins secure the network. Sysadmins are also in a position to provide good feedback on why a particular security process or proposed change may negatively affect operational stability. They are also often aware when something doesn’t look right, either with a suspicious log entry or how a system is behaving. These are the times when you want sysadmins to be open and willing to consult with Security to help in the investigation.
In the history of IT security, there have been more than a few clashes between the security team and sysadmins over what should be done. It’s more effective to remember that both teams’ goals are the same: keep the systems secure and functional for the users. In the face of a breach or malware infection, the sysadmins will be putting in long hours of clean-up—just as much (if not more) than the security team.
Sysadmins are often less risk adverse, due to their familiarity with the technology and distance from threat intelligence, so they may be more prone to take chances than the security team feels comfortable with. It is Security’s job to help educate them on the nature of the threats and the potential impacts (including compliance fallout) that comes from ignoring security processes.
The Quality Assurance (QA) team is a great ally for security. Not only do they find and knock down the bugs that can lead to severe security vulnerabilities, they can also frame the fixes in a broader context of improved product quality. Often security holes can be dismissed as the Security team crying that the sky is falling again, but when QA flags it, the problem is then tied to the integrity of the customer experience.
This means that QA teams should have a strong understanding of the threat model pertaining to the applications they’re testing. They should also be provided with a method of testing security vulnerabilities, either directly by demonstration or indirectly by instruction. Some QA departments develop their own application security expertise using security test tools to find and verify potential problems. QA also often employs massive automation for testing, especially in Continuous Integration environments. There is a lot of value in providing QA with test scripts generated automatically from security scanning tools that can be integrated into the test suites. For example, when a vulnerability analysis tool finds a cross-site scripting vulnerability, QA should be provided with a script that reproduces that test to run across all versions of the application and become part of the automated test every time code is submitted. Sometimes this means extra work from the security team to educate and assist in automating these tests, but it more than pays for itself in reduced vulnerabilities.
Outside the technical areas, Human Resources (HR) often is involved in security matters. When new employees are on-boarded, security needs to make sure these employees are educated on security policies and procedures. HR often can help facilitate both policy sign-off and security awareness directly themselves. Since maintaining a close tie to current employees and authorized user accounts is a key security measure, HR needs to integrate processes with IT or Security to ensure new employees get user accounts, and departing employees have their accounts disabled.
When things go wrong, Security needs HR’s full cooperation. When there are involuntary terminations, Security needs to be in the loop beforehand to ensure all credentials are immediately cut off, preferably during the employee’s exit interview. When severe security policy violations occur, HR also needs to work with security to ensure proper documentation and sanctions are applied. HR should work with Security on risk assessments of potential malicious insiders or problem employees. A good example of this is HR having a consultation with Security if a potential hire has some gray area issues on their background check. Both HR and Security have a clear legal and ethical understanding of privacy issues, so confidentiality on employee matters can be maintained.
Empowering and Investing in the Security Adjuvants
Partnering with your security adjuvants means more than just assigning them security responsibilities. It means answering their calls and emails in a timely manner, attending some of their meetings, listening to their needs, and providing customized training and documentation for them. This not only helps them do their security work but more importantly, it sends them a message that you’re invested in helping them succeed. You’re sending a message that everyone is working together to improve security. This extra effort with the adjuvants also gives Security a chance to communicate their goals and knowledge of threats on an ongoing basis.
Security is a Team Effort
Having committed, capable individuals outside of the security team is a potent adjuvant to help a security program succeed. Over time, you can even take this a step further by looking at recruiting staff within Application Development as security champions. Security champions take the adjuvant a step further by creating new security job roles on the development team to help threat-model and train developers. OWASP has a great resource on this concept available at https://www.owasp.org/index.php/Security_Champions_Playbook. Another future role for security adjuvants is to recruit them into the security department, providing a career path for interested professionals. Remember, security is a team effort and savvy CISOs should look beyond their own department for assistance.