I prepared five slides. On the first slide, we described the problem that we solve. The extemporaneous version goes something like this:
- Heterogeneity - Every environment, even the small ones, are going to be heterogeneous. Chances are you'll have mobile, cloud, connections to sales staff, possibly manufacturing systems, BYOD.. and if you've acquired another company to allow growth, you've acquired their heterogeneity as well, leaving you with a heterogeneous system of interconnected heterogeneous systems. And worse, you don't acquire companies for their impeccable network hygiene, you buy them to make money. And when they stop, you divest.
- Complexities in layers (of heterogeneous defense in depth): So now that you understand the heterogeneity in your environment, consider the infosec posture that you've either built, haven't built, or inherited through acquisition. If you've not been through the forklift security upgrade following your first oh sh*t moment, I'm betting your security posture wasn't built purposefully, it was built on the fly to accommodate growth... if at all.
- Autonomy of businesses: The terms 'division', 'sector', or 'business unit'. All mean the same thing.. autonomous units of business operations. And do you know where the Presidents or VPs of these business operations report? Not to the CISO! They get graded on revenues and margins, not on their impeccable network hygiene. And you know what? There's a good chance your security team (if you have one) doesn't have eyes on all of these autonomous businesses. In fact, I can guarantee it.
- Geolocation and connectivity: Even with a system in a building down the road, geolocation adds cost. Administration, monitoring, security and response all require travel, or, having local help desks, administration, and likely at least one local security person.
- Locate the machine: Typically the security team will want a copy of one of the machines, so they'll run it down. This almost always takes time. The scanners don't necessarily give you the location of the computer, but you'll probably look in a global directory of some sort, or possibly call HR. However this happens, it's probably going to take a few hours to locate the first offending device.
- Pull it off line: This isn't as simple as walking into an office and unplugging a machine. In larger companies you may have to call a help desk or a desktop team, to make sure that first employee is taken offline. Maybe this is another couple of hours required by either your own, or another department. Regardless, it costs money.
- Bring it back to the office to tear it apart and figure out what's going on: Here's where the fun starts. Unless you're planning on burning down the machine and rebuilding (as many do), you're probably going to want to know what caused the scanner to flag. Is this real? False positive? How bad is it? How do we keep it from happening again? The first machine gets a day or so of attention. In my last job, the average seemed to be about three days of intrusion analysis in total. This number will drop with experience, but three work days is probably about right.
- Moving forward: Now that you know what cause the problem, you've got to come up with a strategy to fix it. In most cases, this will absolutely be a team sport. You still have 99 other machines that you've not looked at, in various parts of the company. 100 machines offline is going to really hurt. Maybe you take a weekend for the clean up. You'll have your entire IT and Infosec teams on board. You'll probably burn and reload all 100. You'll generate rules for your IPS, add a tool or two to your network; maybe reconfigure some security controls. Depending on the response, this can get really expensive --especially when companies don't bring in consultants who've been through this before --and usually they don't.