Posted on June 26, 2017 by Admin
There comes a time when every security conscious organization needs to move beyond the basics.
After all, basic protocols such as solid vulnerability management or least-privilege user access controls are highly effective, but they won’t be enough to stop truly persistent threats.
Perhaps your industry is heavily targeted by organized crime groups. Perhaps you’re worried about next generation ransomware, or you just can’t risk taking a hit to your reputation.
Whatever your situation, you’ll ultimately find yourself trying to work out where best to allocate your resources.
And it can be hard. With so many vendors espousing the virtues of next-generation firewalls, sandbox environments, and biometric authentication, how are you supposed to know where to invest?
Throughout this series, we’ve repeatedly explained the importance of mastering the basics first. But in a world that increasingly demands instant results, many organizations find themselves lusting after the latest tech before they’re truly ready.
In other words, they try to run before they can walk.
And look, we get it. The fundamentals are boring, and they seem so insignificant compared to defending against the latest headline stealer, whether it’s a zero day exploit or a state-sponsored cyber attack.
But here’s what you need to understand.
These attack vectors may be exciting and high profile, but they’re vanishingly rare compared to more mundane threats. If we compared security to a marathon, as we have several times during this series, defending against advanced threats would account for approximately the last mile… and more run-of-the-mill threats would be everything else.
So before you start splashing out on fancy technical controls, please make sure you’ve done your due diligence. If you aren’t sure, check out this post before continuing.
What’s Out There?
If you’ve ever attended a major security event, chances are you were totally overwhelmed by the range of security products available. Typically, vendors are practically falling over themselves to tell you about how their technology can defend your organizations against this, that, and the other.
But consider this.
At major events, like Black Hat, RSA, or InfoSecurity Europe, those vendors are paying tens or even hundreds of thousands of dollars just to be there. Yes, of course, almost all security vendors offer products that genuinely enhance certain aspects of your security profile, but they do also have a vested interest in convincing you that the problem they solve is the most pressing one.
But before we get into how you should allocate your resources, let’s take a look at some of the most heavily marketed categories of advanced security products:
What it is: Nothing to do with Star Trek, more’s the pity. Just like traditional firewalls, NGFWs include a standard set of functions which typically include packet filtering, stateful inspection, and network/port-address translation. Unlike traditional firewalls, though, they’re able to “understand” web application traffic in a more comprehensive way, and block traffic that may exploit known vulnerabilities. NGFWs often include additional features, such as SSL and SSH inspection, reputation-based malware detection, intrusion prevention, etc.
What it fights: Malware, including malicious web applications.
Weaknesses: Since NGFWs are designed to fight malware, they are only effective at blocking malware-based attacks. While many attacks do make use of malware somewhere down the line, plenty of attacks don’t. Additionally, as with most products, NGFWs are unlikely to protect against innovative new malware strains or zero-day threats.
2) Endpoint Security
What it is: Although precise definitions vary, endpoint security is quite simply the process of securing network “endpoint” hardware such as mobile devices, PCs, laptops, servers, and so on. Endpoint security products often include data loss prevention, application whitelisting, privileged user control, and disk, endpoint, and email encryption. Typically, endpoint security products will force devices to meet certain security requirements (e.g., be fully patched) before network access will be granted.
What it fights: Any attack that targets individual devices, including (but not limited to) malware. Where endpoint encryption is present, these products also mitigate the risk of lost or stolen devices.
Weaknesses: Many attacks don’t target endpoints.
3) Multi-factor authentication
What it is: In simple terms, these products expand upon standard “username and password” based logins by requiring one or more additional and more secure alternatives. Common examples include so-called secure keys (think online consumer banking), mobile phone applications, and biometric scanners that utilize fingerprint, facial, or retinal scanning.
What it fights: These systems are highly effective at mitigating the risk of credential theft attacks, where threat actors compromise user accounts using leaked or stolen credentials.
Weaknesses: Although plenty of threat actors favor credential theft as means of gaining initial access to a target network, these attacks still only account for a small percentage of breaches.
4) DDoS mitigation
What it is: DDoS stands for distributed denial of service, and describes an attack where a large number of systems or devices “flood” the bandwidth of a targeted system by repeatedly connecting and disconnecting from it. For the most part these attacks target web servers, and utilize botnets to execute massive numbers of connection requests in a very short period of time. Remember the Mirai botnet of smart toasters and fridges? It hit the headlines because it was used to conduct DDoS attacks on several high profile websites.
DDoS mitigation products use network monitoring and filtering techniques to redirect malicious traffic while still granting access to legitimate visitors.
What it fights: DDoS attacks.
Weaknesses: Depending on your industry, DDoS mitigation can be extremely valuable. Nonetheless, even in these cases, DDoS accounts for only a small proportion of overall attacks.
Now of course, there are plenty more advanced technical controls than those listed here. Just type cybersecurity into Google and you’ll find scores of technologies designed to protect against all manner of different cyber attacks.
What’s important to understand, though, is that each of these tools tackles a very specific problem. Whether it’s malware, credential theft, DDoS, or something else entirely, almost as soon as a new attack vector arises there will be a product or service on offer to protect against it.
Cutting Through the Hype
Sadly, many organizations treat cybersecurity as a randomly pieced together jigsaw of security products and services.
And it’s easy to understand how this happens. If you treat security as a single, nebulous process, it’s easy to convince yourself that the latest fancy security product is the one that will keep your organization safe.
But in reality, taking this approach will do little more than drain your resources, while still likely leaving your organization vulnerable in some area you hadn't identified.
Because in all honesty, there is no single “best” way to secure an organization. Your threat profile will depend heavily on the size of your organization, your industry, your location, and a whole bunch of other factors.
The threats facing a global telecoms giant, for example, are very different to those facing a sole trader, and different again from those facing a high-street retailer.
If you want to build a truly powerful cybersecurity initiative, you must approach it in a measured, holistic manner. Only by systematically identifying your most pressing threats, and implementing controls and processes specifically designed to mitigate them, can you enhance your security profile in a measurable and sustainable way.
In short, you must take a risk-based approach to cybersecurity.
The Opposite of Whack-a-Mole
If you’ve been following this series from the start, you might remember that we advocated using our free cybersecurity assessment tools (CSAT) to identify areas for investment.
And sure, we’re looking at advanced controls now rather than the basics, but nothing has really changed. The path to powerful security still lies in identifying (and plugging) areas of weakness.
So once you feel as though you’ve got the basics of security covered, make sure you go back and reassess your position using one of our free tools.
To make life as easy for you as possible, we’ve developed separate tools for financial, government, higher education, healthcare, industrial, retail, and SEC/OCIE regulated organizations. The tools, which are based on the NIST cybersecurity framework, are so simple they can be completed in under an hour, and require no technical knowledge whatsoever.
As we’ve already explained, the most important thing you can do to protect your organization is to identify the specific risks facing your organization, and efficiently allocate your resources to mitigate them. To that end, our tools are divided into five clearly defined categories: identify, protect, detect, respond, and recover.
And just like before, this is simply a case of ensuring your maturity in each area matches your level of exposure. You don’t want to see low levels of maturity in areas of high risk, for obvious reasons, but you also don’t want to see high levels of maturity in areas of low risk, as that suggests resources have been poorly allocated.
In the table above, an example organization has scored low on exposure for a particular category, but ranks as intermediate in terms of maturity. This is most likely fine, particularly if the organization routinely holds sensitive data (e.g., a healthcare provider or financial institution) but if security resources are particularly tight this could represent a minor misallocation of those resources.
Get Started Today
Whether you’re starting from scratch, you have the basics well and truly mastered, or even if your organization has a fully functioning cybersecurity program, taking a risk-based approach to improvement is the only logical way forward.
To check out our free cybersecurity assessment tools today, just click here.