My choice of the title is based on the fact that the size of the business matters when we define security solutions. We don’t just consider the budget available, but the staff skill levels, user population, and overall levels of departmentalization.
Consider what can happen if a firewall admin notices a stream of outbound traffic to an unusual IP address that resolves to Minsk in Belarus…
At a small company, the admin will walk down the hall to where the CEO sits and ask if it’s cool to block traffic going to Belarus. “Sure,” says the CEO, “we don’t do any business with Belarus. Block the whole country.” Once the traffic is blocked, the firewall admin, who is really an all-around IT person, checks the PC that was sending traffic and makes sure its antivirus software is up-to-date. Maybe that’s when it’s discovered that their AV licenses have expired and they need to have a quick conversation with their vendor about renewal…
At a medium company, the firewall admin may notify his manager and wait an hour or two for a response to block just that IP address, since they may expand business to Eastern Europe at some time in the near future. Maybe. Once authorized to block, the admin may dash off an email to the desktop admin to check out the client at 10.1.2.3 that was the source of outbound traffic.
At a large company, the SOC may be up to its eyeballs in preparing reports for auditors to even notice just one more stream of traffic going to a Bad Place. Maybe they do notice it and generate an alert. That alert goes to the level one helpdesk person who then has to follow up with engineering about approval of a change request to shut down the traffic. In the course of the escalation, other teams get involved and start to build a full forensic picture over the next few days and they confirm that, yes, the traffic is originating from 10.1.2.3 and going to a Bad Place in Belarus. As they debate about what to do – they can’t just block the IP, since it’s a major ISP in Belarus that they use for B2B communications – the flow of traffic stops… so they decide to wait and see if it happens again before doing anything final.
Now those aren’t the only possible outcomes, but they illustrate the differences between getting security at different levels of business. I’d like to start a conversation of “war stories” that can help other professionals understand all the wrinkles involved in implementing security solutions, so that we can be more aware of those wrinkles as we discuss security with the decision-makers at those firms.
So what are your impressions and experiences, working at different levels and types of organizations?