We are living in interesting times. Traditional network boundaries have been erased, and we are attached to the interconnected world 24/7. Our phones have the power of modern computers–and they are always on. We have smart cars, smart apps, and smart sensors that may impact our well-being and safety; even our appliances and cameras are now connected to our home and business networks. Along with all of this new technology, cloud services, shadow IT, and borderless data are getting harder to control. Vendors find new vulnerabilities and release critical patches almost weekly, and several times a year a major vulnerability is discovered that sends the IT community trembling.
Where we used to deal with script kiddies, we are now dealing with very sophisticated, well organized, and superiorly funded criminal organizations. Malware is morphing and becoming more complex every day. Script kiddies and unsophisticated hackers now use malware kits and “How To” YouTube videos to make their tasks easier and cheaper. Everything and anything is for sale now–literally. “Anything as a Service” is penetrating all aspects of our business, including “Malware as a Service”. This means that security breaches are happening more frequently–and no one is safe. The identity of every adult American has been compromised, on average, multiple times. As a result, citizens are getting security fatigue, and the community has stopped reacting to security breaches.
So, how can we stay sane in a world where a security team must be right every time, but an attacker only once? And what do we do when the shortage of skills available makes the IT Security landscape look more like Armageddon? My answer for this is simple: Focus on the key things that will help to move the needle and drive business forward. Here are 9 things to consider as you start your journey.
1. Pick the right framework. This is critical, as it will drive your priorities and provide standardized metrics to track your progress. The framework may be suggested by your industry and/or regulatory requirements, but not always. After selecting your framework, perform a gap analysis. This will help you determine what to work on next. You need to prove to your executives and the board that you are focusing on the right priorities and spending money on projects that reduce overall risk–and having a roadmap to follow will enable you to do so.
2. Know where your crown jewels are. You can't protect what you don't know, so it’s important to start with a full inventory. Consult the business, but don't discount the power of data discovery tools. Once you have identified the sensitive data, encrypt it (if you can). This way, even if it is stolen, it will be useless to the attacker. Some regulations do not even require you to disclose a data breach if the stolen data was encrypted. Data protection is one of the most crucial pillars of your security program.
3. Threat and vulnerabilities management matters. The "threat" is the fundamental part of it.
In addition to traditional boundary defenses, micro-segmentation, granular access controls, and data protection (encryption) can help create necessary barriers between attacker and your crown jewels
Not all vulnerabilities are created equally, so it is important to prioritize when addressing them. Factor exploitability in your environment, asset value based on the data it holds, and any additional compensating controls, like segmentation. When you take a risk-based approach to TVM you will quickly discover that you may need to patch some assets every few weeks, but others only every ninety days. Taking a methodical approach will help to reduce impact on your availability due to massive patching and reboots.
4. Focus on incident response. Defense is important, but no longer viable to thwart the threat. It is no longer matter of "if", but "when". Instead, focus on mean-time-to-detect and contain the incident. The adversary still spends over a hundred days in the environment undetected–follow the cyber kill chain. You need a plan to detect and stop attacker at every step of the chain. Table-top exercises are critical, but not enough. I recommend red team/blue team exercises to measure the effectiveness of your incident response program and test your team(s) for technical competency. This also helps you determine where your training funds will bring the most value. Outsource your red team if you can. You may be tempted to use internal resource(s), but they are often biased to what they know about your environment, whereas an outside consultant has no opinion.
5. Don’t chase the shiny new toy. There is no silver bullet no matter what vendors advertise. Your risk analysis in previous steps will help you determine what technology works well for your business. Focus on improving the technology you have and using it to its best capability before you move on to the next. Statistically, over eighty percent of security technologies put into production never improved past initial configuration. Consider anything installed and configured by the vendor as proof of concept. Their goal is to teach you to fish, not to feed you. You need to do your homework.
6. Defense-in-depth is still a golden rule of security. In addition to traditional boundary defenses, micro-segmentation, granular access controls, and data protection (encryption) can help create necessary barriers between attacker and your crown jewels.
7. Shortage of qualified resources is not easy to overcome. Use machine learning, automation and orchestration to compensate for lack of human capital against the ever-growing list of things to do without adding bodies. To find and retain talents, look for non-orthodox ways to recruit. You may find resources within or even outside of your IT organization. Marketing or BA organizations often provide a pool of candidates who already have business acumen–all you are looking for is curiosity and desire to learn. The side benefit to this is that you may find a resource to help your security analysts understand business, and also add outside-of-the-box thinker to your team. Once you find and train them, learn what motivates them to come to work every day and make it your mission to help them grow and succeed. You will not be able to keep them forever, but if you prepare them for the next opportunity, it's a win for everyone.
8. Focus on user awareness–make it bold; make it different. One model does not fit all. Your educational program should cater to the level of your users and even your corporate culture. The successful training program should be customized for your audience. Outside of general security awareness, you want to train users against the threats they are facing in their role. You may want to treat accounting differently from procurement and procurement differently from IT. Don't overlook the importance of training your executives, key personnel, and security team. Find out what delivery method resonates most with each group. Additionally, don't discount the fact that different age groups consume information differently. Customize your program. Make it fun; make it relevant to user personal life. Recruit them as your lieutenants. Recognize your stars, and reward resilience.
9. Partner with business and IT. You can't do it alone. Remember you own very little. Enabling the business does not mean you need to be a traffic cop. Your job is to assess and report the risk. For example, you identified sensitive data, but you don't own it–the business does. You serve as an advisor and partner with business, but they own the final decision. Similarly, you don't own any assets; IT does.
Help IT understand the risk affecting their assets and establish trusted partnership. Most people intuitively want to do the right thing.