The gap between IT and security teams recently defined by analysts as the “SecOps” gap is a significant pain point for every enterprise. The two teams have a fundamental conflict based on their different objectives and KPI’s. The IT obvious goal is to deploy technology, maintain services and ensure computing uptime for the organization. The security team in this perimeter less era must protect and monitor every server, desktop and machine with best practices and strict standards. the misaligned goals of the two teams are easy to spot across the entire IT food chain from senior management to sysadmins.
We currently see more organizations appointing operational security managers, this role in the IT department is trying to overcome the structural conflict by adding the security perspective to the everyday IT operation. This is a good sign and a first step for integrating security into operations at the management level. Looking down the food chain at the sysadmins level, integrating security into operations is much more complicated. securing a system by implementing a hardened configuration and patching it is an operational threat to the core business due to potential outages and downtime.
There are many examples where security hardening at the OS level can cause outages, we will demonstrate three which are also common attack vectors.
- Schedule task- saving passwords of domain users locally on the server. One of the basic hardening recommendations is- “Network security: Do not store LAN Manager hash value on next password change”. If there is an application which is run by a DOMAIN USER, it keeps the hash locally. Hardening this value will provide better security but on the other hand the application will stop running.
- LM compatibility level- there are few authentication methods for servers/apps/AD some are old and unsecured some are new and secure but their activation will cause a crash to applications which can’t carry those.
- Basic hardening of services- moving a service from automatic/start to disable/stop is a basic thing for reducing vulnerabilities. There are two problems here:
– Dependencies- service 1 is dependent on service 2, we want to disable service 2 but not 1.
– Servers which make usage of services for example- Citrix uses the print spooler service.
There are native configuration management tools such as GPO, SCCM or different manual methods for deploying a basic security policy, but Implementing a broad security policy (a topic that will be discussed in a future blog post) requires extensive manual work and long hours of testing. Skipping the testing phase for sure will break the daily operation of the system and create outages.
The current hype around DevSecOps might affect the gap between sec and ops. The DevSecOps method hope to integrate different security aspects into the DevOps processes. While in the case of security code review and updates that works well in the world of configuration management there are still some difficulties.
The complicated relationship between security and IT is a growing challenge, as both security threats and the amount of new vulnerabilities are increasing. This situation requires a special emphasis from management on developing methods and implementing tools and solutions to overcome the SecOps gap and satisfy both the security and IT objectives.
CalCom provides unique server hardening tools that helps enterprises harden severs in a cost effective and outages free fashion.