Historically, there has been plenty of negativity and friction between IT and cybersecurity teams. Security teams can be seen as ‘blockers’ that prevent IT from implementing positive changes for the organization. Meanwhile, security teams often feel like their IT operations counterparts just aren’t interested in protecting the organization from outside threats.
While there are arguments on both sides, we in the security industry need to accept a simple fact: IT departments have been around a lot longer than we have, and their processes are more mature.
40 YEARS OF PROCESS IMPROVEMENT
Consider one of the most prominent frameworks for IT service management (ITSM): the IT Infrastructure Library (ITIL). Developed in the 1980s by the UK Government, ITIL has evolved into the most comprehensive set of IT practices ever devised. It’s more widely used than any other framework, and even Microsoft used it as the basis for its Microsoft Operations Framework (MOF).
To see what cybersecurity teams can learn from it, consider the ITIL Life Cycle’s five principles:
- Service strategy defines the perspective, position, plans, and patterns a service provider needs to execute to meet business outcomes.
- Service design includes the design of services, governing practices, processes, and policies required to realize the strategy.
- Service transition ensures new, modified, or retired services meet business expectations.
- Service operation coordinates actions and processes to deliver and manage services at agreed levels. It also manages the technology used to deliver and support services.
- Continual service improvement ensures services are aligned with changing business needs by identifying and implementing IT service improvements.
PROTECTING OPERATIONS, NOT BLOCKING THREATS
Notice how ITIL doesn’t focus on individual systems or processes but rather on meeting business expectations at a pre-agreed level. ITIL emphasizes getting the basics right and having the systems and processes to achieve the most important objective: minimizing downtime.
IT operations teams have known for years that downtime is inevitable, and all they can do is limit its length and frequency. This is the purpose of SLAs—to keep downtime to an acceptable minimum. This is vital, and it’s in stark contrast to how the cybersecurity industry portrays its function.
In cybersecurity, we often think about blocking threats, fixing vulnerabilities, and hunting for indicators of compromise. But these are simply actions, they aren’t the purpose of cybersecurity. Our true goal is to maintain the availability, integrity, and privacy of our organization’s systems, assets, and data.
Like IT departments, we can assume that some level of ‘failure’ is inevitable as we strive for this goal. Almost all organizations will be breached at some point, so the important consideration is how to minimize the frequency, impact, and duration of breaches. Scott Alldridge, President at the IT Process Institute (ITPI) and MSSP IP Services, explains:
"Use a scorched earth approach. Assume you’ve already been breached and need to recover. What recovery point are you comfortable with, and how long can it take? Once you have your answers, reverse engineer security controls from there just like an IT department would."
THE IMPORTANCE OF CHANGE MANAGEMENT
To ensure business expectations are met, one of the most critical components of ITIL is change management, which is the core function of service transition. For many years, IT departments have understood the importance of change management to maintain SLAs at an acceptable level.
In The Visible Ops Handbook, the authors explain (emphasis ours):
“High-performing IT organizations eliminate change as a causal factor for an outage as early as possible in the repair cycle. They identify the assets directly involved in the service outage and examine all changes made on those assets in the previous 72 hours. This information is [compared to] all authorized and scheduled changes. [...] When issues are escalated to problem managers, they have all relevant and causal evidence at hand and [...] can successfully diagnose issues without logging into any infrastructure over 50% of the time!”
This approach is directly applicable to cybersecurity. By setting objectives (service strategy), a baseline for acceptable service levels and activities (service design), and managing changes from that baseline (service transition), cybersecurity teams can achieve the same level of operational success (service operation) as IT departments.
Think about it. When was the last time your organization’s IT systems went offline for a non-security reason—and how long did it last?
System Integrity Assurance: A Huge Step Beyond FIM
Traditional IT operations concepts like change management are crucial to achieving the true objective of cybersecurity—not blocking a specific threat, but maintaining system availability, integrity, and privacy.
However, for change management to work, you need to know exactly what your environment should look like so you can track changes from that baseline.
System Integrity Assurance (SIA) is a completely different approach to cybersecurity that focuses on the fundamentals. Instead of trying to identify and categorize all bad things, it instead identifies everything that is allowed in an environment—and blocks everything else.
Some level of management by exception is needed, of course. But fundamentally, SIA and verifying that integrity gives organizations complete control over what happens in their environment.
What happens if you know every time something is added, removed, or changed in your environment, and you stop anything that isn’t authorized… and you expand this capability across all asset classes?
- Ransomware and other malware can’t run in the environment.
- Attackers can’t traverse the network or exfiltrate data.
- Nobody can change files or configurations to make them dangerous or non-compliant.
- Users can’t accidentally run malicious attachments.
- Nobody (even privileged administrators) can alter critical system files.
This approach takes away a massive proportion of the threats that can arise in an IT environment with minimal human involvement.
To find out exactly how system integrity addresses the major issues in cybersecurity, download The Authoritative Guide To System Integrity Assurance.
November 4, 2021