Movie fans everywhere recognize 2001: A Space Odyssey as classic groundbreaking science fiction cinema. If you’re not a sci-fi geek, and haven’t seen this iconic film, let me set the stage for you. The spacecraft’s online artificial intelligence “team-member,” HAL, notifies his human compatriots that he has “just picked up a fault in the AE35 unit.” This is bad news for the crew, as their communications with Earth are largely dependent upon the continued performance of this one part. The AE35 unit is a critical path item for communications and something that could prove to be disastrous to their mission should it fail.
Security Vulnerability and Potential Depth of Compromise
Computers are now smarter than ever and getting exponentially smarter with each passing of a software upgrade or hardware release. This means that machines are getting more and more complex, growing in intelligence and even taking on human-like characteristics. With these advances, you are reading more and more about security and vulnerability. Can an automated speaker in your house be listening in on conversations? What about your cell phone camera being an intruder and just turning on without your knowledge? We have Bluetooth keyboards and if Bluetooth could be hacked to simply transmit every keystroke; passwords are only a click away. Turning everything off and removing modern life is not an option, but due diligence is.
In the case of the AE35 unit diagnosis, the human factor must always prevail. This brings me to security vulnerabilities. At Dell Technologies, we have validated services to address a variety of security needs. I will explain this in detail, but first, I would ask the following questions:
- How many of you have a smoke alarm installed in your home?
- How many of you have a carbon monoxide detector installed in your home?
- How many of you have a water detection system installed in your critical areas?
- How many of you have lightning rods installed on your roof?
I am sure most of you would answer yes on question 1, many of you on question 2, a few of you on number 3 and most likely none of you on question 4. This is what we have found when we ask our customers if they have a formal security vulnerability team and service actively installed on their computer systems. Military systems do, and financial companies are often a ‘yes’ but for most other companies, adherence to security protocols can be sporadic, as not everyone has the necessary level of expertise and awareness.
The Validated Solution for the Modern Enterprise
Before I delve into security, let me explain the concept of a validated service. Everyone has heard of the term “integrated” when referring to solutions for one thing or another. This means you assemble parts, test, validate and create solutions where every integral part is designed to work together. For example, you don’t buy a smart phone in pieces, or a watch with circuitry and gears and then assemble them yourself…you buy an outcome. With Dell Technologies Managed Services, you buy a validated solution which entails a team of individuals, software, processes and procedures, best practices and industry-based expertise assembled into an outcome. Think of the solution as a security system for your computers, websites, firewalls and everything in between.
We have built a comprehensive service with industry veterans, tools, dashboards, operational efficiencies and guidance that creates a cadence of identification, acceptance, remediation, vulnerability testing and then verification. Couple this with continuous threat research, detection and applicability to your environment and you can feel safe without extraordinary expense and the loss of functionality to your end users.
Let’s take this 5-part series of expertise and break them down.
Identification
They do say ignorance is bliss. But ignoring your company’s security mechanisms is a dangerous thing to do. You visit a doctor for a checkup every year, you visit the dentist several times as well, but how often do you do a security analysis of your critical systems? I would argue that this protocol should be enacted weekly at a minimum, daily preferred. Furthermore, I would recommend a security vulnerability scanner software package as a best practice as well. Humans simply cannot test every port, software patch or other areas of vulnerability, so a software scan is now the only option. In summary, you should pick an industry leader in security operations, adhere to best practices of scanning the proper areas of assets, update your software and patches regularly and above all, take immediate action if your scanner identifies something that shouldn’t be there.
Acceptance
Let’s assume you have purchased scanning software, configured it properly, run your first scans and identified vulnerabilities. Now what? The first step is to accept you have a problem. Do not dismiss the areas of vulnerability away. Conversations like this often occur: “It is behind a firewall” or “that server is powered off” or even “those are scheduled to be deinstalled soon” so let’s not worry about them. By NOT taking action, you are opening your door to hackers. Outdated systems, unpatched software and even ports left open are simply asking for your company name in the press.
Remediation
This is where we separate a capability and turn it into a true service. Simply applying patches to a vulnerability does not close the vulnerability. Usually, in addition to installing a patch, systems experts also need to update one or more settings, change a BIOS or two and then rescan to make sure all the steps have removed the vulnerability. This final, but crucial, step is often overlooked. For example, I could tell you to secure your house by saying, “lock your windows and doors.” OK, done. But did you check to make sure that ALL doors and windows were locked? What if you forgot that small window on the side that you always forget about because it is covered with bushes? This is exactly what happens when doing remediation work. Once all the remediation is supposedly complete, it is key to move to our next step in the process. Applicability and verifiability.
Applicability and Verifiability
Simply because a software or hardware vendor releases a patch, and you have installed it, does not mean you are automatically protected. Verifiability is key as well as the applicability to your systems. Let’s take an example of a network parameter setting. It may have 10 options to remediate the vulnerability, but you might have a network topology in your environment, you may need items #1, #4, #7 and #9. If you just happen to also install patch #5 in error, it could possibly negate protection from items #7 and #9. This expertise is critical and as most of us can attest, security remediation is where this is more critical than any. We should always read the fine print.
Continuous Monitoring and Threat Level Identification
Your operations teams have gone through a massive upgrade, which I will call a waterfall release schedule. Now what, are you safe? How long are you comfortable? How long can you message to your board of directors that you are 100% safe? Well, just as you locked the doors and windows of your home, you are only safe if nothing changes, and nobody unlocks a window. This is the case with security remediation. Your environment changes daily, with parameter settings, new hardware installs, and new discoveries of vulnerabilities that nobody knew existed that now need patching or remediation. Continuous Monitoring-as-a-Service is what we have built into our validated services for security operations.
Summary
Dell Technologies Managed Services has created a best practices methodology entailing a tool-based validated service. I invite you to give us the opportunity to remove the fault in the AE35 unit which enables you to effectively continue on your security transformation journey.
What steps are your organization taking to safeguard its critical systems?
