Deviations from the norm – Standard Operating Environment (SOE) traps to avoid
In the numerous security assessment audits and incident response activities that the Brace168 team have conducted over the years, we have learnt that what seems like a minor, negligible deviation from the norm are typically the things that can bring an organisation’s cyber security posture to its knees.
A good example of this problem is the use of a Standard Operating Environment (SOE) in an environment that utilises multiple Operating Systems (e.g., a mix of Windows, Linux and Mac OS), where administrators will typically have a standard SOE for the larger percentage of Operating Systems and administer the lesser percentage on a case-by-case basis. This introduces a risk of security baseline deviation and as the saying goes, “You are only as strong as your weakest link”.
Standard Operating Environment (SOE) is the practice of deploying identical (versions, releases, types, models etc.) software and hardware in an information system environment. Among other benefits (such as costs and overhead reduction), SOE introduces standardisation and helps to achieve compliance obligations, manage governance activities, and enhance endpoint security.
While SOEs are meant to enhance the security of endpoints and protect critical business assets, organisations can fall into traps when establishing and deploying SOEs, defeating the security capabilities meant to be achieved with SOEs.
- Trap 1 – Outdated baseline and benchmarks
- Procedures for SOE implementation is typically defined by security baseline standards such as the CIS benchmarks, but with the dynamic and constantly evolving cyber threat landscape, these benchmarks tend to change often and are updated regularly. Relying on SOEs built with outdated benchmarks directly relates to relying on outdated controls that may not be sufficient to address the evolving cyber security threats.
- Trap 2 – Misconfiguration
- SOE’s are templates that define the security functions of systems and applications, a single SOE may be used to build several production systems/applications. A misconfiguration in the underlying template (SOE) may introduce security vulnerabilities to multiple systems, thus increasing the susceptibility to cyber security threats
- Trap 3 – Multiple operating system environments (mix of Windows, Linux, Android, IOS etc.)
- Maintaining different fleets of operating systems introduces complexity to the design and maintenance of SOEs within the IT environment. To avoid baseline deviations, it is important to ensure that each fleet of operating systems are given the required due diligence and appropriate controls are applied
- Trap 4 – Risk profile – one size fits all
- Organisations tend to treat all systems and applications the same; for example, public-facing web servers need to have a different SOE template from internal-facing database servers. Before deciding on what controls to implement in an SOE, it is important to perform a risk assessment and business impact analysis of the systems and applications in question, the outcome from the assessment will provide accurate risk profiles and the appropriate controls can be applied to the systems and applications.
- Trap 5 – Inadequate Skills and Capabilities
- It is important to ensure that required specialists are consulted when building SOEs, the skills of a single system administrator may not be sufficient to build and design security controls across the broad range of IT systems and applications available to enterprises and organisations.
At Brace168, we have the capabilities and experience to implement, audit and test controls related to the implementation of Standard Operating Environment (SOE), don’t hesitate to reach out to discuss how our cyber security consultants can assist with the implementation of new SOE initiatives or uplift your current implementation.