This is another incomplete, but interesting post. Not sure why I started writing this , but I always like the dreamy feel of “best case scenario” types of descriptions. Like what is your dream job? What is your dream vacation? In this case, what is your dream security team posture? I’ve added a thought below in bold. I probably never released this since I likely have said these same items in other blog posts, comments on other blogs, over twitter, and in personal discussions, so it sounds a bit like a broken record to myself.
Simple steps to a strong security posture:
– Staff. Don’t skimp on quality security staff. The anchor of any security team is the skill, talent, and enthusiasm of the top players. It is ok to have some lesser-skilled players or interns. They help provide perspective, an ability to allow senior staff to mentor, be mentored, and possibly do the things that you’d hate to have a $100k staffer do every day like cruise logs or something. In addition, be liberal with their training opportunities, both on and off the books.
– Operate the team as an advisory unit, a monitoring unit, and an active penetration team. Basically, don’t just watch for breaches or react to things already done. Be an internal consultation team for developers, sysadmins, or others who would like or need more guidance on security issues. The team should also be able to and allowed to do planned and unplanned security audits and penetration tests against company assets. It’s not just about implementing, tuning, and addressing trouble tickets about a host-based firewall on desktop systems, or auditing the systems through a central mgmt interface to ensure exceptions aren’t being granted by non-security-minded desktop staff. It’s about helping the business as a whole.
– Be given autonomy and authority in the company to make recommendations, on par with a high-level consultancy. If a security team expects an application to be built securely and offers proper assistance and knowledge to the app team, they should expect to have their concerns addressed reasonably, rather than what often turns into a mgmt political battle or simply ignored demands. It needs oversight over the company assets and IT, really.
– The team should be given some level of operational power or control, especially over their own systems and test systems/networks. Security staff isn’t just about installing endpoint software or watching logs or even consulting or pen-testing internally. They should be able to test and implement changes as needed without having to walk someone else through it or wait (politically and timely) for a real engineer to attend to their ticket. It is my opinion that quality security staff would also make quality operations staff (or quality management in general if that is their focus)…so give them that latitude. (They should also be held as accountable with availability mistakes as operations, when acting in that space.) Of course, this butts up against the problem of having too many hands in the cookie jar, for instance 6 people having access to update firewall rules. That’s 5 extra ways of doing it that don’t match your own philosophy!