Well friends another year down and many more to look forward to. As we venture forth into 2008 like a herd of cattle being led to the slaughter, as we graze listlessly on the digital grass that drives us toward the next ranching town, as clouds circle above with promises of increased riches, cures for baldness, enhanced performance and really cheap drugs, dust storms are gathering in the distance. Cyber wolves are surrounding us, licking their chops as they prepare to gnaw at our hind quarters and steal our calves. Just another year out in the great plains…or welcome to the jungle (here)
Looking back on 2007, what is most amazing to me is not how far, or not, technology has come, how dangerous the threats may be, how consumerization, virtualization, or webification will drive new and interesting threats and countermeasures, how many breaches there were and how much loss it lead to – no what really amazes me, and should scare all of you, is the sheer number of organizations that can not even perform the basics with any level of certainty or efficiency. Most organizations cannot even answer the most basic of questions with any timeliness or accuracy, questions such as:
– How many computing devices are deployed in my environment right now?
Believe it or not it is quite common for an organization to be blind to 15-30% of their computing devices at any given point in time. Imagine if every decision you made to improve security, provide transparency or accountability for compliance or deal with upgrades, licensing or refresh cycles was based on a 15-30% margin of error, yet this is the standard. The reasons are many and run the gambit from platform heterogeneity to legacy systems from mobile and intermittently connected devices to the lack of converged visibility between disparate technologies driven by disparate groups within an organization.
– How many of these do I “actively” manage? How many adhere to basic corporate policies, such as standard corporate AV engine with latest dat files, up to date patches, standard configuration guidelines, etc.? How long does it take me to answer these questions? and How accurate is the information? How do you know?
Even if you believe you have an accurate count (and I am willing to bet that you probably don’t) the next question would be “of these deployed devices how many do I actively manage”? Not how many have I deployed something like SMS to, but how many do I actually have full command and control over and can – in real-time – effect a change on, such as shutting down a service or closing a port, closing an application or upgrading to the latest patch levels.
It seems like a fairly trivial question to answer doesn’t it? But you might be amazed at how difficult it is for organizations, especially those in the greater than 5k or 100k computing devices size, to actually decide to make a pervasive change to their computing devices and then verify that the change actually took place all in less than 2-3 weeks, yes 2-3 weeks and this is with a margin of error of 15-30%. What is really sad is that there are bot masters that have full command and control of hundreds of thousands of computers, but some of the most sophisticated organizations in the world have no idea if their AV is up to date or if the latest personal firewall settings are being adhered to. Some of you may be thinking that you have it under control, but now think about all of your computing devices, Window, Linux, Unix (Solaris, HP-UX, AIX, Mac OSX) systems, Mobile devices, running any VMware? perhaps some zLinux? are you using a remote IP scanning tool? some OS fingerprinting? Now answer the questions again – how many devices are actively deployed in my environment right now and how many of those do I actively manage?
Although there are many new threats on the horizon and many new challenges facing all organizations if you cannot even perform the basics than you are building security on a weak foundation which is a recipe for disaster. So before you leap head long into deploying the latest security widget or decide all you need to do is sit back and monitor the network, logs, and various transient application and user behaviors – you may want to spend some time making sure you can do some basic asset discovery and have some level of control over these assets throughout your entire environment.