| |
|
|
 |
No Summer Vacation from Security Threats
Editor's Note: First Look will feature the perspectives of an Avanade consultant
and a guest commentator on a single issue. This month, we look at security with
Rick Birkenstock, Infrastructure Transformation Practice Director, Avanade West
Region, and Alan McIntosh, Director, Computing Operations and Architecture,
Siebel Systems, a leading provider of multi-channel business application
software.
Rick Birkenstock: There's a thriller for everyone's summer reading list,
and IT professionals are no exception with books like High Tech Crimes Revealed:
Cyberwar Stories from the Digital Front due out in August.
Then again, there are plenty of "thrills" at the office to keep the
security-minded very busy. Worms and viruses are no less a problem this summer
as any other time of year. The last week of July brought a reprise of Bagle, a
new Atak, and variants of Lovgate and MyDoom, among other worms and viruses. At
the same time, Microsoft released seven patches mid-month. Windows Update
Services, the second edition of Microsoft's free patch management technology
(aka "SUS 2.0"), which promises to help with patch management, is not due out
until next year.
The key is for companies to recognize that patch management is not simply a
question of having the right technology or simply pushing software updates; it
involves a combination of tools, process and people. Moreover, it's about
"knowing what you have" and specifically how those objects are configured.
Alan McIntosh: That's right. At Siebel Systems, we run a lean IT team.
Here, as at many companies, we have our hands full with the daily challenges of
configuration management, change control and software distribution. The
frequency and volume of patches and fixes from Microsoft adds to the workload.
The event that galvanized our team around patch management was the SQL Slammer
attack. With more than 15,000 desktops and laptops to manage, Slammer presented
us with the very real challenge of trying to respond without a process or even
a baseline inventory of configuration and patch status in place. No single
software application could make those challenges disappear.
We put all our staff on the case for an entire week — something we never
thought we'd have to do, and never intend to have to repeat. The team was
working in reaction mode, trying every possible tactic to contain the problem.
More than anything, the time and effort we put in made it clear that our
vulnerability was more than an issue of having the right software to prevent
infection.
RB: We find most companies treat patch management as a tactical exercise
- opting to either "patch and pray" or wait until the exploit actually affects
their infrastructure. Those that do subscribe to these approaches — and
nothing more — will someday find themselves in circumstances similar to
Siebel Systems' when Slammer hit.
The security Holy Grail is a single tool that would guarantee all devices and
systems always had the most up-to-date security software. However, this tool or
technology does not exist. The real fact of the matter is that IT managers are
having a harder and harder time controlling access to corporate resources and
inventorying and managing the configurations of the systems they have.
AM: Since employees work from home offices, for example, it's easy to
imagine someone connecting from an infected home computer and unwittingly
transmitting a virus or worm.
RB: But when there's a security crisis, technology is just about the
least of company's worries. Even the best technical solution can be undermined
by weak staff response and a lack of planning. A delay in the IT department's
reaction due to confusion or uncertainty - even lack of recognition of the kind
of problem that's taking place — simply allows for the problem to expand
in size and allows it more time to wreak havoc. Add to that the risk of quickly
deploying patches without some level of testing against the production systems
unique to your environment, and you're putting your business systems at risk.
For these reasons, we recommended a holistic approach to addressing these
issues for Siebel; a security action framework which encompasses people,
process and technology. That framework addresses three crucial areas where
weakness can cause a company's defenses to collapse.
AM: We knew we needed some sort of process for patch management. The
tool we had developed internally for pushing patches out to the organization
was not enough to ensure systems were up-to-date, much less help us respond to
unforeseen crises. However, because we weren't sure where to start work, I
decided it would be best to bring in some outside perspective — and
specifically, outside expertise on the nuances of securing the Microsoft
platform.
RB: To develop a security action framework, we discuss what a company
like Siebel Systems has to do to address threats before they happen, and how to
be prepared to react when they do. Our approach is based on an inventory of
assets that could be at risk, prioritization of that risk and determination
which alternatives for action should be taken.
This process, though painstaking, produces a thorough assessment of threat
scenarios that becomes a reference plan of action for both proactive and
reactive scenarios. It's powerful in combination with time-tested procedures
and methods for evaluating a situation to determine the appropriate security
response - including what to do with updates from Microsoft.
Next, we determine what events or signals should prompt IT staff to identify a
threat and execute the plan.
AM: We found this process of developing the security action framework
was straightforward and logical. Avanade brought a structure for the discussion
so that we arrived at clear risk statements that helped us understand the real
consequences of threats. This gave us a factual basis for assessing probability
and prioritizing our responses.
RB: Technology certainly plays a part in a security action framework,
too. It's important to establish a baseline inventory of systems' configuration
and patch status. This paves the way for using tools to automate certain
aspects of patch management such as remote installation and rollback of
updates. For Siebel Systems, the baseline also serves as a basis for reporting
mechanisms to measure the progress of patching and ultimately, ensure systems
are up to date.
AM: It doesn't go without saying that the technical foundation of our
security action framework is built on Microsoft products. Working with a
partner well-versed in Windows Server 2003 brought an additional measure of
security to our IT environment, in that we were able to take advantage of
features and functions introduced as a result of Microsoft's Trustworthy
Computing initiative.
Today, at the first sign of a threat, we don't fly blind. A virtual patch
management team I've set up meets once a week, and gets together when an event
occurs or an exploit is discovered. We follow the best practices Avanade has
recommended for getting a handle on a given situation, and we consult our
contingency plan to determine what to do in response.
The return on investment in the security action framework has been
extraordinary. The Siebel Systems IT department is able to work more
productively and can guarantee that security patches — whether critical
or important — will get pushed to all systems within 36 hours. And we
have a cost-effective infrastructure for patch management that helps minimize
vulnerability in our IT infrastructure. Since the implementation of the
framework, we have experienced no downtime and have significantly reduced the
risk of loss from security failures.
RB: That does not mean Alan's team is resting on its laurels. Now they
are piloting advanced Microsoft tools to test further automation of patch
management, and examining their systems for ways to further streamline our
technology and efficiently introduce new components. As they continue to layer
on additional security strategies and push out the defense perimeter, Siebel is
fast approaching a point where they'll have the luxury of implementing patches
on their timetable.
|
|
|
