Environmental Drift: “What We’ve Got Here is Failure to Communicate” by Brian Contos

It’s hard to tell when your security controls stop working or if they ever really worked at all. My firewall, IPS, endpoint, and SIEM may be up and running, but are they doing what I need? How do I know for sure?

The quote from my title comes from one of my favorite movies: 1967’s Cool Hand Luke – starring Paul Newman and George Kennedy. This quote was re-popularized in 1991 in the song “Civil War” by Guns N’ Roses.

Multimillion-dollar security investments in people, process and technology can be brought down by simple communication failures and basic “environmental drift.” Environmental drift includes variables like:

  • A span port being accidentally turned off or a tap failing
  • Network Time Protocol (NTP) not correctly setup
  • Network traffic not being logged or logging being blocked
  • Misconfigured proxies, routing, forwarding, segmentation…

It can also include more security-specific issues caused by configuration errors, patches, staff changes, process changes or solutions simply not performing as advertised or assumed:

  • A firewall not generating alerts
  • An endpoint control alerting but not blocking
  • IPS alerts making it to the IPS manager but not the SIEM
  • SIEM correlation rules not firing
  • DLP not blocking on various protocols and or levels of obfuscation

At Black Hat Las Vegas 2017 Verodin ran a Security Jenga game (video below) to demonstrate issues in security effectiveness and demonstrate how the Verodin Security Instrumentation Platform (SIP) provides an automated and continuous security validation and configuration assurance platform. The Security Jenga game is based on Verodin’s 2017 Security Effectiveness Report that demonstrates some startling statistics. Here are just a few:

  • Prevention: on average only 15-25% of attack behaviors are actually blocked
  • Detection: of attack behaviors not blocked, only 25-45% generate actionable alerts
  • Correlation: 0-45% of SIEM correlation rules are firing

Verodin SIP fundamentally changes security by allowing you to truly measure, mitigate and maintain. With Verodin SIP you know what’s working, what’s not, and are supplied with prescriptive remediation results. But don’t take our word for it, check it out for yourself and let Verodin prove it.

*** This is a Security Bloggers Network syndicated blog from Verodin Blog authored by Verodin Blog. Read the original post at: