Okay—stop laughing, everyone (and I mean everyone) knows I am no singer, but IT Security professionals really need to ensure they have the basics in place and I liked the attention this title brought to light as the foundation for this blog.
As I think back over the high-profile (and some of the not so high-profile…) hacks and breaches that have occurred over the last 18 months, I asked myself:
How many have been the result of the smartest, most ingenious hackers in the world?
How many have happened because someone just did something by accident?
How many have happened just because they didn’t have visibility into their network and security dashboards?
As I sat down and did some research and consulted with my peers around the world, I came to this conclusion: we are truly neglecting the security basics and need to get back to them fast. So what are the basics exactly?
Step #1 Take Careful Inventory of Your Assets and Software: You can’t protect what you don’t know you have and many organizations often skip this basic but fundamental step. I’ve seen several instances of this recently while working with companies to improve their key and certificate security. Many companies simply do not have a complete inventory—they have no idea how many keys and certs they have or how they are being used or misused. In a recent survey that Venafi commissioned with the Ponemon Institute, the results revealed that the average enterprise has almost 24,000 keys and certificates and 54 percent of security professionals admit to being unaware of where all of their keys and certificates are located. This is just one example, but it underscores the reality that organizations need a good inventory of ALL IT assets, identities, hardware, keys and certs, and software.
Step #2 Establish A Trusted Baseline: Organizations need to establish and update a known good state, or baseline. Baselines can be used to identify when security issues arise and provide a means to return the organization back to a known good state after a breach.
A few years back, I read an article with an analogy that struck me. Coupled with the old saying when trying to find something that seems impossible: “It’s like finding a needle in a haystack.” It was changed a bit to be more relevant and has held meaning for me ever since:“You don’t need to know what the needle(s) look like; you just have to know what the hay looks like. You take all the hay out and only the needle(s) are left.”
So how does this relate to baselining? If you take the known good out (your current baseline), then you’re left with the needle(s). Those needles can be good or bad, but now you know about them and can take proper action, and are able to begin remediation or restore to a known good state.
Step #3 Deploy a Strong Security Foundation: Once you have a complete inventory and you know what you need to protect, the next step is to deploy a good security foundation to build upon. Today, many companies are spending money on expensive “Next-Gen” or “Threat Intel” solutions and are not putting enough emphasis on the basics. You need to know what you have in order to protect it. There are many guidelines out there such as the SANS 20 Critical Security Controls. SANS starts with an “Inventory of Authorized and Unauthorized Devices, and Inventory of Authorized and Unauthorized Software”—obviously to my earlier point, visibility into your inventory is crucial. There are many other standards, guidelines, etc. out there, and it is up to you to determine what you want to work with for the regulations that you must comply with in your industry.
Step #4 Beef Up Your Detection: We tend to become overly invested in and overly reliant on our preventative capabilities to mitigate cybersecurity threats. This is often at the cost of good detection capabilities. In addition to inventories and baselines, IT security teams need to establish strong processes and procedures in incident response plans, triage/analysis tactics, and log monitoring. When there is a breach, organizations need to be able to quickly identify anomalous behavior and remediate, and to return the systems/networks to a good, trusted state while minimizing damages, recovery time, and costs. This need for detection applies across all technical, administrative, and procedural domains regardless of whether the compromise impacts hardware, software, user IDs, privileged access, keys and certificates, or any other IT security asset.
When was the last time you tested your incident response plans? People come and go; processes are always changing, and those changes need to be taken into consideration each and every time you exercise your plans; and don’t forget to follow-up with a postmortem analysis to see what worked and what didn’t.
These are a few easy steps that security professionals should always consider when it comes to establishing the security basics. Without these foundations to build upon, how can we ever hope to keep up with the bad guys who are always two steps ahead?
Remember—It’s all about the basics, ‘bout the basics—and hopefully no trouble!
P.S. Don’t forget to follow me on my new Twitter handle: @QueenofCandor