Why the bad blood between InfoSec and Remediation teams? The reality is, they need each other. They just don’t always work alongside each other, or use the same metrics, or see things the same way, or…well, let’s just say there’s a lot of baggage there.
Why We Can’t All Just Get Along
Within many organizations, security teams and remediation teams are in need of a good marriage counselor. Conflict-ridden, confrontational, distrustful, and a host of other words may be used to describe these relationships, while phrases like harmonious, collaborative, and productive don’t often apply.
Security’s Image Problem
I’ve seen this adversarial dynamic play out from multiple sides of the IT equation, having had roles in security, development, and DevOps during previous stints in various enterprises. When you speak with people from around the organization about their take on security teams, you’re likely to hear a range of perceptions, not many good:
- Chief problem officers. Some see the security team as “chief problem officers,” constantly flagging issues, but offering little in the way of solutions.
- Car alarms. Others see the security team as that annoying car alarm that goes off every other day. Security is constantly issuing alerts, and designating every vulnerability discovered as critical. Loud and annoying as it is, people do their best to ignore it, and hope the noise will stop soon.
- Speed bumps. Still others see the security team as barriers that stand in the way of business progress. Seemingly every new innovation proposed is slowed or halted by security. Security doesn’t partner with other groups to support new initiatives, but rather erects barriers and landmines that impede progress. Worse yet, this perception is often embraced by security, which only perpetuates the problem.
- Money pit. Many simply view security as the place where money is sunk. Ultimately, they see a lot of money getting spent on security, with the business seeing very little return on its investments.
In this case, there really is such a thing as bad publicity. These negative perceptions, whether based on reality or not, ultimately stifle teamwork and collaboration.
Security Can’t Do it Alone
The crux of the matter is this: Security teams are responsible for identifying the risks, vulnerabilities, and threats confronting the business, but they most often won’t be responsible for actually addressing those issues. Security teams are reliant upon remediation teams—the individuals who typically don’t have security in their titles, but are essential players in security nevertheless.
These remediation teams are comprised of individuals from different groups, and can include application developers, system administrators, DevOps leads, network operations center staff, network and system engineers, DBAs, and more. Without remediation teams, patches don’t get applied, issues in code don’t get addressed, and configuration errors don’t get fixed.
Why are the Relations so Poor?
Security’s relationships with these remediation teams are often largely adversarial. Why? Historically, the default method of many security teams has been the “dump-and-run” approach. The security analyst runs a vulnerability scan, say on an application, and generates a 500-page report that lists thousands of vulnerabilities and issues. Next, the security person goes to the unsuspecting development lead, drops the report off with a thud, and says, “fix these issues.” The security analyst then promptly departs, leaving the developer with more questions than answers. How do I address these issues? What should I tackle first? How do I fit this pile of work into all my other priorities?
For their part, security teams may as well be throwing reports directly in the trash. Remediation teams may address some of the vulnerabilities, or they may not. They may report back on how they’re progressing, or they may not.
There’s no closed-loop reporting to measure progress. Unfortunately, vulnerability scanning won’t help. In fact, traditional tools like vulnerability scanners and scanning systems are part of the problem. These systems keep finding hundreds of thousands, if not millions, of vulnerabilities across the environment.
While they provide great ammunition for dump-and-runners, they stop far short in terms of supporting risk management, prioritization, and solution identification. Even if remediation teams did address a lot of issues, next month, security could run a report and see 10,000 more vulnerabilities than before. What would the number have been if remediation teams hadn’t been working on issues? Has any progress been made? Who knows?
How You Know You Have a Problem
How do you know if your organization is being plagued by these realities? Here are a few tell-tale signs of brewing conflict:
- Inefficiency. A lot of time and effort goes into security “activities” but the most critical threats and priorities aren’t well understood, let alone addressed. Instead, people are working through massive punch lists, while critical priorities are buried or ignored.
- Disconnectedness. Efforts, investments, and strategies of different teams aren’t well understood by others, and they’re not aligned or coordinated across different groups.
- Ineffectiveness. Security teams can’t do it alone, and they can’t get the support they need from remediation teams to address security objectives. Ultimately, the business remains exposed to significant risk.
- No single metric. Ultimately, there’s no single report or metric that all the players use to understand trending risk, and how the organization’s risk posture is being reduced over time.
How to Fix the Problem
For security teams to be successful in meeting their charters, they need to change the perceptions and the realities. To do so, they need to establish a more collaborative approach with remediation teams. Following are several key strategies and approaches for realizing this objective.
While in theory, it’s clear that security really is everyone’s job, security teams have to be mindful that, for the remediation teams they work with, it’s not their primary jobs. Effective collaboration starts with empathy, taking time to understand the remediation team’s initiatives and goals. This can be highly instructive in helping establish context for meaningful security discussions.
Know Your Resources
It’s also important to assess the resources available. It is only by understanding how much budget and people you have to work with that you can formulate realistic priorities and goals.
Security and remediation teams have fundamentally different views of the world. Security sees security as the most important goal. For a DevOps lead, the overriding goal is delivering new, revenue-generating functionality, and doing so yesterday, if not sooner. The developer sees the world in terms of features and defects, and ensuring the former are getting enhanced, while the latter are being reduced. For a system administrator, the primary focus is on keeping an increasingly dynamic environment up and humming.
Security has to take time to understand these different perspectives, and align their interactions accordingly, if they are to collaborate effectively with remediation teams.
Become Part of the Solution
Security teams can’t just continue to point out problems; they need to spot problems and devise solutions. As opposed to listing hundreds of vulnerabilities, security teams should provide prescriptive direction, for example, specifying which patch needs to be applied to which servers, how a configuration needs to be changed, and so on.
If everything is critical, nothing is critical. Given the finite resources and time available, it’s not helpful to hand off a huge list of problems, and create a backlog that no one will ever get through. Prioritization is vital. Maybe a developer will be able to take care of three cards this week. Why should he or she make security’s requests a higher priority than all the deliverables the business is clamoring for? If you provide an un-prioritized list of 100 vulnerabilities, you’re all but assured of getting ignored. Which are the five that will most effectively reduce risk?
From the time we were children, we’ve always liked to know why. That still holds true for all of us, including folks on remediation teams. Why am I being asked to do this? Why is it so important? By providing context around security, you’re much more likely to get buy in and support for what you’re trying to do. Go beyond explaining that a patch needs to be installed, and explain the why.
For example, detail how, by implementing a specific patch, the team can protect against a specific threat, and describe why the threat is both real and likely. These details can be both educational and eye opening for those who aren’t dealing with security issues on a daily basis.
Get buy in by showing how the tactics that have been employed have reduced risk for the business. Wherever possible, provide objective measurements of progress in the area that the remediation team cares about. When you can objectively measure results, you can better articulate progress, which will get the remediation team’s attention and help them have “skin in the game.”
Don’t View Security in a Binary Fashion
Security personnel can often be seen as nihilists, taking an approach that says, in effect, “If it’s not perfect security, why bother?” This perception is detrimental to risk reduction, and leaves the security team set up to fail.
While there are a lot of absolutes in the world, the concept of security isn’t one of them. An organization can scramble to implement an extensive set of fixes and enhancements to address a threat or to pass an audit, and still get hit by a breach the next day. The reality is that 100 percent, foolproof, absolute security isn’t a realistic goal, and if security is focused on that as an objective, they’re only setting everyone up for failure.
The organization will never reach some mythical point of complete security, and security shouldn’t try to manage toward that goal. Security and remediation teams need to understand there will always be gradations—and that the organization will get more secure or less secure based on a number of factors.
I’d encourage an analytic approach. Take a cue from the Bayesian Theorem statisticians, who understand the value of looking at both probabilities and impact. Focus on how to make the most efficient progress toward enhancing the business’ security posture. Instead of counting vulnerabilities, security teams need to be managing risk. Factor in intelligence not only on vulnerabilities, but external threats, including which vulnerabilities are currently being exploited and how often.
What happens when security and remediation teams stop the finger-pointing and start collaborating? A lot of goodness:
- Security teams get more effective in achieving their objectives. The most critical threats are flagged and addressed far more quickly. Instead of chasing their tails and counting vulnerabilities, they’re focused on what really matters: reducing risk to the business.
- Remediation teams get more productive. These teams will be able to accomplish more when they stop wasting time sifting through giant reports, or trying to figure out how to address issues. Instead, they get clear solutions, know why they’re important, and execute on them.
How Kenna Can Help
Too often, security and remediation teams simply don’t get along, and this lack of harmony can have a big impact on the business. To address these challenges, security teams need to take a different approach, and they may also need some different tools in their arsenal. Vulnerability scanners are only one small piece of the solution.
Kenna helps teams leverage more intelligence to move beyond identifying vulnerabilities, and start measuring and managing risk. Kenna helps security teams get clear on where the biggest threats are, and how they can be addressed. This information enables security teams to provide prioritized lists of efforts and clear solutions, so remediation teams won’t have to sift through giant reports or waste time trying to figure out what the fix is. With this information, security teams can become more effective at collaborating, coordinating efforts, and strengthening security—because they’re looking at the same metrics, and it becomes black and white whether the business is moving towards the ultimate goal of being more secure.