I’ve not blogged in quite some time, mostly due to being very busy these days. However I felt I should talk a bit about compliance and how it seems to have changed security from eliminating threats to eliminating compliance gaps.
In the last few years, many regulations have emerged that are now controlling our security initiatives and goals. PCI, SOX, HIPAA, SB1386, Massachusetts Privacy Law, and more on the way. Now, I’m not one to say that regulation does not help in some respects, but often it has undesirable effects that cause many security professionals much discomfort.
What I feel has changed in the security landscape is rather than targeting the latest “threats” we find ourselves doing burdensome business processes which do little or nothing to improve the overall security of our companies. One notable pain point is in an area of PCI that I think drives many of us nuts. The “log review” provision.
In PCI 1.2, the requirement for daily log review in and of itself is well intentioned and something that I cannot argue cause most of us don’t do enough of it. What I find difficult is that we find ourselves reviewing things such as “successful logins” or “failed logins” to comply with these stated controls and I feel there is very little value to doing so. Many companies mandate that system owners review these logs on a daily basis, is our investment really giving us a return? For instance, most companies utilize domain policies that cause account lockout to occur at 5 times and complex passwords to be employed. This represents a compensating control and therefore monitoring and reviewing failed logins is burdensome and unnecessary. That being said, there is still residual value if you receive alerts or reports of extremely high numbers of login failures so it does make sense to monitor for those.
Another issue that I see happening across the industry is when executives make financial decisions based on whether or not they meet these minimum regulations. Often my friends have told me that their companies are cutting back their budgets once they receive their PCI ROC, or their HIPAA compliance report etc. This causes security professionals to face the daunting task of justifying their budgets to mitigate threats against a management who’s already met the minimum bar. Quite a quandary for many of us. I am very hopeful that PCI will continue to morph so that it addresses threats more directly by requiring harder line approaches such as actual inline IPS’s being mandatory and in a blocking state. Or ensuring that application Firewalls are mandatory. Gone are the days you can expose an application to the dirty internet without all your defenses in an active state.