Skip to main content

Get the Most Out of Cyber Defense Technology | Optiv

July 09, 2014


Why Policy and Procedure is Critical to Effective Technology Countermeasure Deployment

Technology countermeasures have come a long way since the dawn of information technology security. Just over a decade ago, IT security technology could be loosely categorized into endpoint and network security. With these broad categories one would have covered the vast majority of technology countermeasures available to mitigate risk. Fast-forward to the present: Even trying to categorize certain technologies into a broad “type” such as network security is difficult, especially when we consider cutting edge technologies centered around dealing with advanced persistent threats. Times have changed.


The complexity of cyber technology countermeasures is further complicated by how those technologies are deployed in an organization, and effective policy and procedure is an often-overlooked aspect of an effective cyber defense strategy. Mitigating risk with technology requires a balanced, risk-centric approach which is codified by an effective security policy and the appropriate procedures surrounding specific defenses.

One of my favorite examples of this concept is vulnerability management. A few years ago I was deploying a cutting-edge vulnerability management system for a client. The client asked me if we could exclude a block of IP addresses from being scanned by the vulnerability management solution. “Sure,” I replied, “What do you want to exclude?” The client’s reply startled me, “The phone system. Every time we scan it for vulnerabilities, it crashes.” I asked the client, a mid-level IT security analyst, if he thought this represented a vulnerability, as an attacker would certainly not exclude the phone system from a reconnaissance gathering mission, and therefore likely crash the phone system during a scan. “Of course, but our department gets lots of attention when we bring down the phone system, so let’s exclude it from being scanned.” As a cyber security professional, this represented a profound failure of policy and procedure in the risk management process. My client, in this instance, had all of the components necessary for effective situational awareness regarding vulnerabilities, and yet had a phone system that was vulnerable to the most basic pre-attack activity: A vulnerability scan.

I spent some time with this client and built an effective case to demonstrate to the CISO this real and acute risk that could be effectively mitigated in a number of ways. Approaching the phone system vendor for a software update was obviously the preferred approach, but several technologies existed to help mitigate this specific risk. This particular client had an IPS system in the network core, so creating a signature to block the specific attack that exploited the phone system vulnerability was also an effective method for both eliminating the vulnerability as well as allowing the vulnerability management system to effectively do its job.

Once the CISO understood the risk of an attacker taking down the phone system with a simple reconnaissance scan, she determined the appropriate approach was to go ahead and create the recommended IPS signature while attempting to provide a fix from the phone system vendor.

In this example, technology wasn't the issue: All of the tools necessary to identify and mitigate risk were present—the failure (which created vulnerability) was in procedure. A coherent explanation of the risks to the CISO was the only thing necessary to enable a risk-centric decision.

Another common example of this phenomenon is Intrusion Prevention.  So often my clients shut off the medium level signatures on their IPS as well as protocol anomaly detection because their custom applications trigger “false positives”.  Often times, these “false positives” are actual vulnerabilities or weaknesses in custom code which are ignored, not by policy, but rather by lack of policy and procedure surrounding such risks.  Again, in this instance, all of the technology exists to mitigate risk, but often times we make “lack of policy” decisions at the technical level within an organization and aren’t able to effectively communicate such risks in a business-centric view to an appropriate risk decision maker (CISO, CIO, etc…).

The solution, albeit simple, takes dedication and commitment at all levels within an organization. Before technologies are deployed, a basic policy and procedure framework should be established as part of the requirements definition for a new cyber defense technology. In the vulnerability management example, for instance, some basic policy and procedure items would be: The scanning interval, how detailed the routine scans will be, how quickly vulnerabilities of a particular severity will be patched, how discovered vulnerabilities are communicated within the organization, and how patched vulnerabilities are verified.

Once a basic policy and procedure framework is in place and the technology deployed, further procedure work is necessary to fine-tune how the organization adopts and manages the new risk-mitigation technology. Just as we fine-tune technical countermeasures during their lifecycle, we must also fine-tune our policy and procedures to ensure we are getting the maximum possible situational awareness and risk mitigation from the technology.

Cyber defense is complex, and effective risk management is a complex relationship between technology, process, and people. Effective policy and procedure is a critical component in cyber defense and should be given its due attention in any cyber defense strategy.

As published in Cyber Defense Magazine

    J.R. Cunningham

By: J.R. Cunningham

VP, Product Management

See More

Related Blogs

October 25, 2017

GDPR Part 1: A Legal, IT, or Information Security Issue?

The General Data Protection Regulation (GDPR) is a new regulation affecting organizations that reside in the European Union (EU) or merely transmit EU...

See Details

October 31, 2017

GDPR Part 2: The Six Information Security Pillars

In this second part of the series, we will discuss Optiv’s Six Information Security Pillars for GDPR compliance. For the information security professi...

See Details

November 07, 2017

GDPR Part 3: GDPR and the Information Security Program

In this third and final part of the series, we’ll spend some time bringing GDPR and its various requirements back into the information security progra...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

June 23, 2017

Optimize Cyber Defenses

Learn to how to eliminate tech waste and get the most out of your security portfolio.

See Details

January 31, 2017

Governance, Risk and Compliance

Learn how to mature and optimize your GRC program and technology investments.

See Details

January 21, 2015

Cyber Security Public Policy

Imagine a scenario where a highly motivated, trained, and well equipped enemy launched an invasion against the United States. Upon arriving at our sho...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.