Estimates suggest that the gap between a data breach and discovery is somewhere in the region of 80 and 200+ days, depending on whose research you’re reading.
Disparities aside, every researcher, security company or independent third party report seems to be in agreement that there’s a significant gap between a data breach taking place and the victim knowing about it, and each report makes for similarly grim reading. While this tells us a lot about the nature of modern IT security; to me, it is also an indication of the gulf between IT service desk and IT security teams.
It has become more obvious recently, that every part of the business and every IT department have a part to play in IT security. Slow discovery times can serve to highlight the silos that exist within the average organization, especially in terms of IT security and IT service desk teams.
In the real world, for the majority of any data breach-discovery period, it’s likely that an incident would’ve been logged with the service desk. Properly actioned, there’s no chance it would take 200+ days to discover, and while this boils the argument down to a rather simplistic conclusion, it certainly seems to suggest that these teams could be doing much more to coordinate an effective response – not to mention building a defence against the attack in the first place.
Making the service desk the first line of defence
Both teams have a unique function and purpose, and it’s not to say that the service desk could ever do the job of IT security, but at the very least it should be the first line of defence. A strong one at that.
Any security team knows that the best defence is knowledge, and the biggest thing any business can do to mitigate risk is to know exactly what is inside their network in order to identify strange behaviors and meaningful trends. The service desk is probably better positioned than any IT team within the organization to lead this activity. For the simple reason that, when a user’s PC is running slowly or a business application is frequently crashing, their first call will likely be to IT support.
Gartner says that by 2018, 40% of service desk interactions will be via mobile devices and, today, more tickets than ever are specifically IT security related. Even routine requests that are easily dealt with in isolation may have a bearing on IT security.
For instance, when they start happening simultaneously across a number of different users and devices, it can act as an early warning system of a wider problem or even a potential cyber-attack. It’s vital that the service desk escalates requests to the right teams, and that security teams have adequate insight into service desk requests – whether this is via regular reporting, or more ad-hoc communications.
For example, in 2014 the US retailer Target suffered an incident when hackers generated $53.7 million by stealing credit card details. There were many ‘incidents’ or ‘signals’ raised during the attack which, if resolved in a timely manner, could have minimised the damage.
This is hardly an isolated incident either. SANS Institute research on help desk security found that organizations rarely factored security into the overall help desk budget and nearly 40% of organizations have weak or no security policies around their help desks.
If you take a close look at failures in security, a common factor is a breakdown in change-control and a lack of insight. If you don’t know something has changed, then you can’t control it. The fact is that you can’t keep users from installing applications. So you need to know when compromised devices are plugged into the network, what social media and web-apps are being launched, and have a mechanism to stop it.
Given access to the right tools, the service desk offers a powerful first line of cyber-defence. The proactive management of operating systems and application vulnerabilities with automated patching; endpoint protection to ensure only authorised applications run; policy-based enforcement of removable devices to control data in/out of endpoints; application control and intelligent white-listing for endpoint security are all pre-requisites to making this happen.
An efficient and IT security conscious service desk is able to provide visibility of the network and endpoints, and the capability to control what happens. Ultimately, the net effect is having a service desk that is always on the front foot, identifying and responding to threats proactively. Not only can this kind of service desk identify problems, as well as pre-empt others before they impact the user, it is a remarkably cost effective means of improving an organization’s entire security posture.
Poor service desk/IT security communications and processes, on the other hand, this means you have a service desk that cannot protect the company from debilitating, costly and embarrassing security breaches. When put in these simple terms, isn’t it about time you set up new processes or means of communicating with the service desk?