Security operations and network operations teams have always had a hard time seeing eye to eye. All too often, each side runs at cross purposes with the other. Networking pros view security specialists as obstructionists who make work difficult while security pros see networking teams as carelessly asking for too many permissions and opening up too much of the network to attack in the quest for expedience.
In a lively session hosted within this week's SolarWinds Thwack Camp conference, a security veteran and network operations veteran went toe-to-toe to air the grievances of each side, offer reasons why the two sides should cooperate better, and provide some tips on how to bridge the gulf.
On one side, security teams struggle to deal with skyrocketing attack volumes, ever-growing application portfolios, and increasingly complex network topologies. All of this work is done without commensurate growth in security staff -- and requires touching assets that security doesn't "own."
"Our challenge on the information security side is we are just lacking in staff and we need your help," said Charisse Castagnoli, information security and strategy officer for the office of the CSO at Websense and a longtime security professional. "The network is the portal, things go in and things go out when [incidents] happen, whether it is malware or accidental disclosures. When you're on an incident, you're discovering things and you're putting together the pieces of the puzzle, and a lot of times you guys are the ones who have the data."
On the other hand, network operations are called to continually bring up new systems and capabilities the business wants to run, all while ensuring everything runs at the highest levels of availability.
"The problem is it takes time," said Leon Adato, SolarWinds Head Geek, "and on top of that, I'm dealing with what I call MTI -- mean time to innocent. In day-to-day running of operations, things are breaking and 'It's the network.' It's never the network. But I've got to prove it. So I'm dealing with that."
As Castagnoli put it, many times security leaders are well aware of the pressures to maintain availability, but that it's only one part of the acronym security teams call CIA: confidentiality, integrity and availability.
"We do often run in conflict, but we've got to figure out a better way of balancing availability with confidentiality and integrity," she said. "It's important to be available, but it's important to be available safely."
Castagnoli said that security leaders like her must do a better job of extending the olive branch and building relationships with networking teams before crises hit.
"You have to proactively make time for this," she said. "Know the person before you need them; take that NetOps counterpart out to lunch."
Image: geralt via Pixabay
Meantime, even if networking folks are slammed, she believes they can at least start giving security teams a "heads up" when it's warranted, for example when a new application project starts up and the security team is noticeably absent.
"If you're the NetOps person, you should say, 'Where's the security person? Have they given you a risk assessment before you deploy that?'" she said.
Meanwhile, Adato said security people need to be more conscientious and "commit to not putting in rules that break the network." Castagnoli agreed that could be a challenge and suggested giving security teams a "three strikes" rule, especially as things start to change with software-defined networking. Adato said it would help if network teams did a better job of inviting security people to the proof of concept or sandbox so they can get in early on projects.
"But if we invite them, they have to come," he added.
"For security operations managers out there, you have to make this (kind of invitation) a priority for your team," she said. "You have to give them the time to do this because an ounce of prevention is worth a pound of cure, and this is where you'd have the opportunity to head off something that could be disastrous."