At our UK Conference I called for SAM teams to forge strong ties with their colleagues in IT Security and Compliance. My session highlighted how we as SAM managers have much in common in terms of tools and processes with them. We are also seeing former pure-play IT Security vendors such as Qualys entering the SAM world with toolsets aimed at solving the fundamental IT Security challenge – you can’t secure what you don’t know about.
My conference session included an extract from the World Economic Forum earlier this year where Maersk Chairman Jim Hagemann Snabe spoke of the impact of the NotPetya attack on his company. In short;
Wired have recently published a fascinating deep-dive into the Maersk response and it is an excellent primer on the reality of dealing with a cyber-attack.
For us as SAM Managers the frightening reality is this:
Maersk was vulnerable, and suffered all that damage, because of a single installation of a vulnerable application. Hackers compromised the update server for that application, the application auto-updated, and Maersk’s systems were dead in the water within minutes.
One installation, two weeks downtime, at least $300m hit to the bottom line.
Maersk IT installed the application at the request of an accountant in a local Maersk office in Ukraine. It had probably gone through the usual process for completing such a task – a request raised, ticket allocated, license checked, application catalog updated, and so on. This was commercial software, widely used in Ukraine to file tax returns. Think Quickbooks.
And this is the point – I doubt very much if any software approval process would have seen the risk associated with this application. I don’t know many SAM Managers who would actively manage an application with a single install either.
From a risk perspective however these outliers do need our attention. With the move to continuous application development perhaps we’ve become blasé about the risks of auto-update. In my time in infrastructure operations the mantra was “never install the first version”. Now many teams have KPIs tracking time taken to install an update. To be clear, auto-update is usually a good thing, but make sure you’ve assessed the risk and tested the application before enabling it.
Our role as SAM Managers is to ensure that robust software approval processes are in place and that all appropriate stakeholders are engaged. Our remit should probably be limited to the licensing and perhaps financial aspects of the decision to install the software. IT Security should formally provide approval for the application to be installed, where it should be installed, and whether it should auto update. IT Operations should approve the technical aspects – compatibility, capacity requirements, packaging, and so on. The Software Approval Board should collectively classify the risk of installing the software and add it to the Approved Software List.
When a single software installation can do so much damage collective responsibility is important. You really don’t want to be the person who provided sole approval for an install with a $300m price tag.
I’ll be writing more on building relationships with your IT Security and IT Ops teams over the coming year, and will be presenting on this topic at our forthcoming Australian & US Conferences. NotPetya won’t be the last attack of this kind, make sure you’re ready for the next, and grasp the opportunity to build or strengthen these mutually-beneficial relationships.