We all agree on the need to establish defense in depth, but it seems we’ve arrived at a fatal tipping point. Most enterprises have acquired so many point solutions that we’ve created an insurmountable challenge for those in the security ranks to keep up with. Without drastic changes, teams will continue to drown in the big data security point solutions generate and will be no better equipped to prevent or mitigate breaches.
We’re all familiar with the breach headlines from the last few years. It may or may not surprise you to know that quite a number of the victims had solutions in place that would have prevented the breach, if only someone on the team would’ve reacted to the alert(s). On the grand scale, what’s the score between the “good guys” and the “bad guys?” Let’s just say, we’re not doing very well. On average, it takes the typical organization 9- 18 months to identify a data breach. How much data is the bad guy able to exfiltrate in that period of time? How about, any amount of data they’d like!
So what steps should security professionals take to overcome these challenges?
- Assess all point solutions in place, categorizing their purpose and functionality. Ensure the technologies are configured and functioning to reap maximum benefit. Sadly, many times solutions become self-ware or highly underutilized. Systematically gage the benefit of all point solutions over a period of 6 months, leveraging a score card.
- Examine technology overlap and opportunities to consolidate and eliminate redundant environments.
- Identify gaps within the security program that are not being met by either people, process, or technologies. Develop a strategy to address these gaps.
- Establish processes surrounding all activities performed by the security team. Revisit these processes on a yearly basis or whenever changes occur to the infrastructure.
- Recognize opportunities to automate and re-engineer repetitive and critical practices.
Once you’ve assessed your existing toolset and are ready to make changes and procure new technologies, it’s important that you:
- Document the problem you’re trying to solve.
- Ensure collaboration and participation by relevant stakeholders in and outside of IT, especially if the solution will in any way be apparent to the end-users and/or customers.
- Identify required and desired criteria/features extensively.
- Test thoroughly! A great security pitch is not reason enough to buy. Similarly, simply because a solution is seen on an upper right-hand quadrant, doesn’t mean it’s the right fit or will meet the needs of your organization.
Building your arsenal will take time, money, and the right people to get it implemented. The time in between is often filled by ambiguity and fear, but this can be avoided. We often find organizations in paralysis for any number of reasons. One common explanation is prerequisites. Some solutions need extensive network changes to be put in place, trained individuals to operate the technology, and/or huge amounts of capital and operational funding. Looking at the network layer, making the most minor of changes to the architecture is often challenging without the right underlying design. Most organizations have designs that have not evolved since they were implemented many years ago, thus making changes quite painful. Considering a Managed Security Service Provider (MSSP) is something that could ease both implementation challenges and ongoing operational requirements.
What are key technologies that all organizations should consider to ward off a cyber attack?
- Next generation firewall
- IDS/IPS capabilities
- Network-based behavioral analysis
- Email Encryption
- Secure FTP
- Certificate and Key Management
- Vulnerability Scanning
- Patch Management
- Anti-Virus/Next-gen AV
- Two-factor Authentication
- Endpoint Protection and Response
- Security Information and Event Management
This short list of key technologies is quite extensive for even for mid to large enterprises. Ultimate success depends on the ability to correlated data into reliable and actionable intelligence coupled with automated process. Therefore, keep in mind that integration with your SIEM is critical. Also, beware of solutions yielding a high degree of false positive. This is detrimental as buy-in will dwindle and actual issues will many times be ignored.
Which implementations should you tackle first?
- Ensure you first have a solid next gen firewall with robust IDS/IPS capabilities. This will immediately ward off a high percentage of attacks from ever touching your network.
- A network-based behavioral analysis is essential and avoids the need to deploy agents on all assets on the network which can be highly problematic. Packets will come into your network as a standard course of business, regardless of how effective your firewall/IDS/IPS solution is. Many malicious files arrive in stealth mode, lay dormant for a period of time, and then begin a dance of lateral movement on your network in an effort to infecting endpoints and stealing data. Traditional tools are unable to identify this malicious behavior.
- Implement and/or tune your SIEM to pull logs for all relevant systems and begin crafting the use cases and process automation.
These three critical pieces will provide optimal visibility and allow you to identify malicious activity efficiently. Finally, it’s important to take the back-to-basics approach; look at configurations for all types of assets and ensure installation, configuration and maintenance follows security best practices. As time and funding permits, procure additional key technologies to further harden your security defenses.
[In upcoming posts, I will address a number of topics relating to cybersecurity, including vulnerability management in the age of cyber-everything, selling security to IT, building a culture of security consciousness, and embracing innovation without compromising security. To view previous blogs, click here.]