Vigilance and the Enterprise of Things
Most enterprises allow BYOD in their environment, with varying levels of supervision. Typically, these are tablets and smartphones but the number of other Internet of Things devices being brought into the enterprise is on the rise. I like to refer to this as the Enterprise of Things.
Many of the organizations I work with are just beginning to grapple with the implications of this shift, and I think a number of aspects need to be considered as we deal with this new reality. Here is a quick run-down of some of the items to consider.
Where do you stand?
First, decide your corporate stance with regard to unmanaged devices: Are they allowed in your environment or not? The answer may depend on the type of device, since you may allow smartphones and tablets but exclude laptops, for example. You should also anticipate things such as smart light bulbs, wireless Hi-Fi music systems, and so forth.
For devices which are allowed, what are your expectations for how they are used; what amount of IT or infosec involvement or approval is desired; and how will you be able to detect “rogue” devices if they show up on your network? Policies describe your expectations, so make sure you are clear about what you expect.
Are you clear in communicating your expectations?
Next, take a look at your policies and practices. It’s true that you have expectations about how unmanaged devices will be involved in your environment, but do your policies support your desired outcome? If not, update your policies to reflect your organization’s stance on this matter – otherwise your users won’t have a clue what you expect and everyone will be frustrated.
To create an environment of accountability, make sure you have mechanisms to tell if someone has violated your policy. If you can’t identify and contain policy violations, you will need to either implement additional controls in your environment or remove that section of the policy until you can detect violations. After all, if you don’t have the means to enforce violations it is just a hope, not a policy.
Do your users know about your policies?
Once the policies are clearly documented and you know how you’ll enforce them, communication to your user community is vital. I once worked with the CISO of a huge corporation and he asked me to review his security policies to make sure they were sufficient. He handed me a couple of large binders and I asked him, “How many of your users are aware of these policies?”
In his case, the only people who were aware were his system administrators, his security team, and his direct staff. The rest of the company didn’t have any idea these policies existed. I deferred reviewing his policies until he’d communicated them to the company (about a year later); my assertion: if nobody knows about the policies it doesn’t really matter whether the policies in the binders are any good.
By the way, I have found it more effective for organizations to not only communicate the policy details, but also to document the goal of the policies along with the “thou shalt” language. In other words, explain the “why” and the desired outcome of each policy. In these cases, you can often get users bought into the goal even if they don’t like the specifics of what you’re asking them to do. In fact, one of the organizations I work with was able to greatly improve compliance by taking suggestions from its user community. A number of creative users who understood the objectives of the rules were able to come up with lower-friction ways to achieve the objectives.
Continuous situational assessment
Now that you’ve decided what you want, have the policies and controls to make sure your expectations are being met, and people know what’s expected of them your work is only just beginning. The threat landscape in the Enterprise of Things is constantly changing so constant vigilance is required. That means establishing a strategy that enables continuous discovery and awareness of what’s on your network so you don’t suddenly become vulnerable without realizing it.
A key part of this strategy is to go beyond discovery into actively profiling, probing, and risk-scoring the devices that show up on our network, whether they are there directly (plugged into your network or connecting directly to your wireless access points), or indirectly (part of your employees’ or partners’ network and mingling with your core network via remote connectivity). I describe this as “measuring your attack surface’ so you can objectively determine how your risk and exposure is changing over time, and it should be automated as much as possible.
A significant increase in either targetable systems or known vulnerabilities on those systems can cause a spike in your attack surface, which should not only be noticed but should trigger a proportional response within your security team. After all the more you know, the better equipped you are to do something about the situation.
Business context can trump technical context
Many organizations rely mainly on technical context like CVSS scores, patch levels, etc. to drive their actions. That can work, but I find it more effective if you also integrate business context into your assessment criteria. Business context includes things like location, business purpose, whether the asset houses or handles sensitive information, whether it is subject to specific SLA’s or regulatory requirements, etc.
Integrating business and technical context allows you to make reasoned, business-oriented decisions about how to respond to changes in your attack surface. For example, the potential business impact of a medium-severity security exposure on a highly critical server involved in order processing can be much more important to resolve than a higher-severity security issue on an internal media server. If you rely solely on technical context, you’re not doing your business any favors and you may not be applying your precious resources where they’ll get the biggest return.
The Enterprise of Things never sleeps
I’m only scratching the surface here, but the key thing to remember is that we now live in a world in which the “things” we don’t control can suddenly threaten the assets and data we’re responsible for protecting. Developing an automated, scalable strategy that allows you to quickly identify potential security threats, prioritize them based on business risk, and take deliberate action based on what you see is crucial in protecting your business in the Enterprise of Things.