Why Converged Security matters: win the Whack-a-Mole game

Over the past weeks I have been blogging about Converged Security, describing some key use cases in a more holistic approach to securing your enterprise. In this fourth instalment I would like to discuss the secure asset lifecycle.

 

My kids are older now, but I remember the days where every other week we were invited to a birthday party. Many of these parties took place in arcades where one of my favourite games (let’s face it, I had to find something to do while toddlers tore the place apart) was Whack-a-Mole.

 

I feel for the IT security folks. Their world resembles an endless game of Whack-a-Mole. They scan the environment, fix the security holes and 5 new ones pop up the next day. You may argue that it goes with the territory, and I would agree with you, if it weren’t for the fact that in many cases this is inflicted on them by their IT brethren. Devices, systems, servers, components, applications are continuously deployed into the production environment but often without much thinking into how this may affect security. IT Security is often not even aware that a new system has made it to the production floor until their next scan finds it, at which point they can cure it from its vulnerabilities, but wouldn’t prevention make a lot more sense?

Consider the following picture

Secure asset lifecycle

 

This is a simple depiction of the Secure Asset Lifecycle. When new assets are being deployed you need to first determine their risk profile. Is it production or test? Is it externally accessible? Is it mission-critical? What technologies does it use? These are just a few simple questions you need the answers to in order to assess the risk profile of the asset. Once you do that you can then decide what compliance controls are needed, how to manage its vulnerabilities and how to continuously monitor it to ensure it remains secure.

Sounds like a lofty goal, so here are a few things you can do today that should not require much effort:

  • Include representatives from security in your change management process (e.g. have IT security represented in your CAB)
  • Add an IT security evaluation as a required step to your release or deployment process

For a more advanced use case, you could – for instance – integrate your IT discovery with your IT security scans to provide a holistic asset register. This will also be of enormous benefit when it comes to Automated Discovery and Remediation, which will be the topic of my next and final blog in this series.

For more information on how to implement converged security, visit http://hpsw.co/z4L6DqJ, or come and see my colleague Gerben Verstraete present how together we stand, but divided we fall at HP Protect .

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.