Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication

Security architecture is like the ocean: no one owns it, and it is constantly affected by change. New technologies are introduced, staff changes occur, and as a result, communication suffers. I often see environments where ownership is placed into silos across teams in the enterprise, meaning IT administrators preventing threats may not get the insights uncovered by security operations teams. On the other hand, SecOps may not receive details on why a policy or configuration change has occurred. What’s more, in environments without effective integration between security tools, this lack of communication means the insights and visibilities that might benefit other stakeholders rarely travel or surface outside the immediate security team.

Add into the mix a pool of security tools that can’t co-exist — or who do so poorly in a way that causes conflicts with the other — and the situation is complicated even further. Clearly, implementing an effective, comprehensive endpoint strategy is one challenge, but maintaining that strategy is usually where the real battle begins.

A crucial part of winning this battle is ensuring that IT security administrators and SecOps work together effectively. Let’s examine how these two can do so to ensure all bases and endpoints are covered.

A Lack of Alignment Exacerbates the Skills Gap

A quick reminder: IT security teams are responsible for the health of the network and IT infrastructure, requiring them to focus on access controls, endpoint protection, and vulnerability management. SecOps teams, meanwhile, establish the rules their organization must follow to secure their environment.

Logically, these teams should work hand-in-hand, but in most enterprises, they are siloed due to functional or technical limits. Each has little visibility into what the other side is doing on a day-to-day basis, plus a complete lack of insight into longer-term strategic security initiatives. This can lead to a breakdown in rules, configurations, and escalations that has a detrimental impact on an enterprises’ infrastructure.

Lack of communication can also make it hard for IT security admins to know how to escalate and prioritize issues, as well as prevents SecOps from upskilling. For example, junior analysts can only address about 30% of alerts today. The remainder of alerts require a higher skill set to remediate, a problem that’s only compounded by the lack of qualified cybersecurity talent. In fact, some estimates expect the number of unfilled cybersecurity jobs to rise to 3.5 million by 2021, and because many SecOps tools today require significant experience to operate, communication and education will only become more critical.

Establishing Shared Visibility Between Teams

Now that we know the issues that can arise when SecOps and IT admins don’t communicate, let’s address some of the solutions and outcomes. It all starts with better, shared visibility. When each team has insight into what the other is working on, teams are no longer siloed, and less time is spent on alerts and false positives that frontline IT can handle rather than SecOps. This means that if an eventual hack or breach does occur, more time and effort can be spent on threat remediation in order to strengthen an enterprise’s endpoint environment.

Shared visibility extends into joint policy creation as well. When forming policies, if IT admins and SecOps provide their respective input, there is less of a chance of miscommunication or misconfiguration. Policy changes can be understood from the get-go by forming a holistic approach, with the necessary expertise and insights from both teams coming together to create an overarching endpoint security strategy that’s more secure.

SecOps and IT must also find a way to extend that visibility to new team members. In my experience, solving security architecture issues requires a two-pronged approach. First, the security industry should take more responsibility for designing products usable by both the most advanced security professionals and operational staff and analysts. But second, organizations must ensure that a lack of continuity at customer sites from staff rotations is maintained through documented policies to support product configurations. In other words, organizations must ensure the appropriate processes are in place to support the security tools they deploy. This historical knowledge matters because, anecdotally,I find that a significant number of escalations are addressable simply by reverting a customer environment back to default settings. New employees are unaware of this quick fix and therefore waste precious time and resources on unnecessary efforts.

Collaborating for True Endpoint Security

With these challenges in mind, we recommend the following steps.

• Create visible, documented policies for all products and scenarios. This helps overcome a lack of communication, staff turnover, and the inability of products to integrate.
• Conversely, seek integration and automation. And in fact, organizations are doing so, with over 70% pursuing increased automation in endpoint security, including automated detection and response.
• Establish cross-functional collaboration in other ways. For example, require IT admins to flag threats to SecOps.
• Review your policy book and guidelines quarterly so that the latest technology and processes can be effectively integrated into guidelines.

IT security admins and SecOps teams don’t have to — and shouldn’t — do their jobs alone. To cover all bases, they can leverage a multitude of endpoint security solutions with proactive, collaborative, and integrated technology built in. These solutions allow IT security admins and SecOps teams to focus their efforts elsewhere, such as on strategic projects, policies, and insights.

McAfee MVISION Endpoint and MVISION Mobile, for example, build machine learning (ML) algorithms and analysis into their architecture to help monitor and identify malicious behavior. Additionally, McAfee Endpoint Detection & Response combines real-time endpoint monitoring and data collection with rules-based automated response and analysis capabilities so that both IT security and SecOps can be involved in the process of fostering effective enterprise endpoint security in a way that makes both of their jobs easier.

With the proper visibility between IT security and SecOps teams, advanced security solutions not only bring an endpoint security strategy full circle but also allow for more time to be spent on collaboration and teamwork. An endpoint security strategy is only as strong as its weakest link – human, solution, or otherwise. Enterprises should ensure that their weakest link isn’t a vulnerable missing link between IT admins and SecOps.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.