10 Ways To Transform Your Clients' Security Program

Becoming A Trusted Provider Takes Effort

Selling and helping deploy and maintain the latest security appliance can be a big win for a solution provider, but it won't necessarily translate into a long-term relationship with the client. To become a trusted advisor on security issues, experts in the channel say they focus on building relationships with key business and IT executives and understand the business inside out.

Helping businesses reduce risk requires a focus on people and processes, said J.J. Thompson, managing director and CEO of Rook Security. Resellers with strong security practices, consultancies and managed security service providers can grow their business by going beyond selling technology improvements, Thompson said.

Thompson went on to outline the elements that make up the key components of a next-generation security operations center, providing the foundation necessary to establish a strong security program. Here's are 10 ways, according to Thompson, to help transform your clients' security program.

10. Cloud Security Controls Integrated With Core SOC

Although the implementation differs slightly, the controls implemented for the cloud environment should be integrated and handled the same as your core security operations center monitoring capabilities, Thompson said. Your security operations center (SOC) should be indifferent to the location of the data. Security must follow the data and provide the same monitoring capabilities regardless of where it resides.

9. Approved Cloud Vendors

Cloud vendors should be approved by category, Thompson said. Not all cloud vendors are created equal, and if there was ever a time when organizations could simply say no to all of them, it's long since passed, he said. Identifying those cloud vendors that enable the business but maintain sufficient security controls is a task that involves both the security operations team and management alike. Then, it's on the SOC to implement controls to block unapproved cloud vendors.

8. Cloud Enablement Controls

The same controls required on-premise are necessary to implement in the cloud environment. An inventory of architecture, exfiltration protection, DNS, and logging controls are among those controls required to manage and protect the data in the cloud environment, Thompson said.

7. Incident Response Capabilities

Businesses need on-premise, remote and cloud incident response capabilities on demand, Thompson told CRN. A compromise can occur at a satellite office 1,000 miles away or in the cloud just as easily as it could at your corporate headquarters. Having the capability to effectively respond to an incident without flying your team to Hong Kong to deal with it on-site can save you money and time in a critical moment. Having the visibility, intelligence and control to respond to an incident in Amazon or Rackspace can be a challenge, but they must be gained in order to effectively secure your cloud environment.

6. Public, Private Cloud Options

There is no question that the cloud offers many advantages: scalability, reliability, efficiency and so on. However, many organizations debate between private or public cloud. In each, the organization gives up some level of control over its data, especially in the public cloud. However, in both scenarios, basic security controls must be implemented, Thompson said.

5. Real-Time Scalability

Not only does security need to be scalable and cost effective, but thanks to the marketing messaging behind virtualization and cloud capabilities, boards expect that security resources can also be increased or decreased at a moment's notice through a virtual dial that is constantly being adjusted to achieve perfect harmony. What's the biggest challenge? Communication of security value vs. the spend and the resultant outcomes. What's the next big challenge? Demonstrating that security can manage KPIs like the rest of the business, and can increase or decrease spend according to business risk. Success has been achieved when the resources (people, time, and money) utilized to run security operations can be re-deployed at a moment's notice based on risks, threats and policy decisions that take place between budgeting cycles. The re-deployment is easily documented and visualized to show the outcome.

4. Outcome-Based Metrics

All metrics are not created equal. The best security operation centers utilize metrics that drive an adjustment or a change of behavior or result in security resource adjustments, Thompson said. It's no longer sufficient to provide the total count of identified vulnerabilities because that doesn't map to an outcome or adjustment. Instead, report on the count of vulnerabilities that are net newly discovered since the last scan; the vulnerabilities that are exempted because they are risk accepted; or those that are still unresolved. Each of these is due to a different root cause and therefore require different paths to root-cause resolution, Thompson said. The count of vulnerabilities simply doesn't provide the requisite information for a change of behavior that results in an improved outcome.

3. Resource Throttling

Executives are looking for an end-to-end solution for managing achievement of the business executive's directives while continuing to improve on the processes and tools IT teams have put into place, Thompson said. This results in the efficient detection, block, notification of and efficient response to threats while maintaining a virtual dial-enabling effective control of security operations center resources and utilization to meet dynamic business constraints.

2. Threat Intelligence

Threat intelligence goes far beyond patch and vulnerability management, Thompson said. Real threat intelligence is a capability that ties human analysts to metadata about attacker profiles, attack signatures, the timing of the attack, Internet advanced warning indicators, and information about the target, answering such questions as what kind of data is on the host, what is it connected to, what is its current posture, what could potentially be exploited, what are recent attack patterns and from where did they originate? When armed with this intelligence, a SOC can provide predictive analysis and early warning and mitigate threats before or during the attack with the utmost efficiency and complete it with effective executive communication.

1. Visibility

Security teams must detect and respond to digital attacks. To do this, the SOC must have the visibility needed to determine when an attack is occurring and what the nature of the attack is, and it must also have the data necessary for understanding the difference between different attack types, said Rook Security's Thompson. This requires Tier-1 baseline controls to be put into place and the associated data-centric tools from companies like Palo Alto Networks, Alert Logic, RSA-NetWitness, HP-ArcSight, etc., be properly deployed.