Where do security professionals draw the line between protecting their company’s network, and delivering a free-range internet experience for their fellow employees? This quandary came up at ThreatSTOP recently, spurred by a support request we received from a customer who posed this very question to himself, his peers, and to us. It got us thinking, and made us wonder what the consensus is among security professionals who constantly wrestle with balancing the scales of security and user friction.
To help plug you in on this issue, I owe you a bit of backstory on what we do at ThreatSTOP: Customers use our cloud service to automatically update firewall rules using real-time threat intelligence and reputational data about IP addresses and domains that are malicious. And when I say malicious, I don’t mean sites with nudity or foul language, there are plenty of products out there that can function as your internet nanny and prevent employees from running amok of HR guidelines. By malicious I mean ThreatSTOP blocks inbound and outbound connections to IPs and domains that will drop ransomware on your endpoints, scan your network for vulnerabilities, phish your finance department, and wage a DDoS campaign against you. The rules we automatically update on your firewall, or your DNS server contain IPs and domains that savvy security people really, really don’t want to find in their network traffic logs.
Our conflicted customer, we’ll call him “John”, had written us asking to provide him with more information about a specific IP address ThreatSTOP was blocking on his network with our DNS Firewall service. Although our reporting and threat research tools had already provided him with the type of threat the IP presented, the severity level and risk to his network of connecting to it, and a rap sheet a mile long showing nasty domains had resolved to the IP in question going on a few years now, John was looking for something more. We scheduled a quick call with John and he gave us the skinny on why blocking this IP had become an issue; a sales executive at John’s company had called the helpdesk to ask if there had been a change made to his laptop that would prevent him from visiting certain websites. The helpdesk agent investigated, and told him no updates had been made recently. The sales exec said “websites aren’t loading right. Where there should be images and videos, I’m seeing spots on the page that say they’ve been blocked for being threats”.
If you’re in security you can probably guess where things went from here. Support ticket created and assigned to John’s team, someone dispatched to look at the laptop, someone else asked to verify network connectivity, the website in question tested both in and out of the corporate network. Round two saw a heated conversation between the sales exec and a senior security admin about the IT team overzealously blocking the internet, and a support ticket for us at ThreatSTOP asking “how bad would it really be if I whitelisted this IP and just let him connect to it?” Our Security analyst armed John with good cause to go back to the exec and explain why the IP address should continue being blocked. The website wasn’t business related, it was a well-known bad IP observed dropping ransomware exploit kits on browsers. John had no qualms about blocking it, but his sales exec wasn’t so convinced. We felt John’s pain and knew he was taking some bruises for trying to do the right thing.
I’m writing this because John followed up with us yesterday to close the support ticket. “We decided not to whitelist it based on what you told us about that IP, we’re still blocking it. Our CIO even got involved, she sent an email to the whole company to say we won’t compromise our position on security.” Well, kudos to John and to his CIO. She’s put a stake in the ground and let her team know she has their back. We know all too well the high costs of a breach. We know the difficulty in explaining to people outside of security why it’s necessary to change passwords, block access to certain websites, and increase security protection even if it comes with a bit of inconvenience for employees. Security is a team sport, as employees we are all stewards of the networks we use and the data we store. Is it worth telling a senior exec “no” to protect the network? Is it wise to put security before accessibility? I’d love to ask that sales executive a question - How much would you pay in bitcoin to watch that cat video?