In my previous blog post titled “’You Want Me to Do What?’ A Guide to Interpreting Cybersecurity Recommendations”, we discussed various pitfalls related to interpreting and implementing cybersecurity recommendations. One of the key points at the end of that discussion was a need to address all recommendations as they relate to your overall security roadmap. If you asked yourself “what roadmap?”, then this blog post is for you.
In addition to providing you with the high level guidance you should be using to develop a security roadmap, we also want to highlight the disconnect between assumed reality and actual reality as it relates to the controls and defenses that can be derived from tools, engagements, and resources. It is this later objective that we’ll start with first….
Technology – “Not Intended for Shelf Usage”
One of the most common weaknesses we observe in organizations is the misuse of technology that has already been purchased. In many cases, an executive team may achieve a sense of security simply by knowing that a new and promising security tool has been purchased. There are a few things wrong with this.
First, the purchase of a tool in itself does not mean it has been implemented. Depending on the tool, it may take upwards of two years to fully implement the technology. Part of the delay is typically associated with customizing the tool to an organization’s unique environment. This means creating custom rules, defining the acceptable level of false positives, and even gaining buy-in from necessary departments within the organization. Additionally, some organizations encounter pushback and other cultural challenges during technology implementations that could slow down the process.
As though this weren’t enough, in large organizations, it’s even possible that tools purchased in the past still remain on the shelf without ever being implemented. These tools are placed on the roadmap, but funding for implementation may be delayed. Alternatively, a newer, better technology may be purchased that removes the desire for the previous tool. While the impact in terms of money lost is less for organizations with a large security budget, the gap in actual security that results could be even more crippling.
Resources – “People Doing All the Things”
If you’ve successfully identified the tools you need to secure your environment, the underlying question you should be asking yourself is whether you actually have the staff to support those tools. Vendors always have a way of making their tools look effortless to run and maintain. Often, however, these functions require constant attention from dedicated resources.
Consider for a moment whether your security team is fully utilizing the tools you already have. Even the best-in-class technologies can be easily bypassed if they’re not configured and maintained. Putting a firewall on your network is nothing more than a pass-through point unless the rule set and ACLs are defined. Similarly, IPS devices, DLP solutions, and any other tool in your repertoire require hand-holding. Beyond the initial setup, someone also needs to be looking at the resulting alerts and logs to determine where “badness” lives.
If your team is struggling to keep up with this management and review process, adding another tool to the toolbox is likely going to result in a reduced capability across the program. You can run ten tools in an inefficient manner or you can expertly run five tools at maximum capacity. We would argue that there’s more value in knowing you have the intended security from those five tools than from having a false sense of security inherent in running non-optimized tools.
Recommendations – “Just Add it to the Pile” Now that you’ve realized the need for additional technology or resources, how do you choose between the various options recommended by your internal teams and vendors alike? Managing the ever-growing list of recommendations can be overwhelming. Knowing what to prioritize over something else is often left to the judgment of a few individuals left in charge of the security budget. Even worse, sometimes projects get prioritized in response to the latest threat. While this might be top of mind for you and others in the public eye, prioritization should really be based on the highest priority. Performing cost-benefit analysis can be helpful, but this is not always easy to perform when it comes to security. Part of this issue goes back to your security plan – or lack thereof. Many organizations define a security plan for the future and identify associated budget required to fund those activities. So when something new pops up, you can’t just throw it into the schedule and there’s certainly not any free money laying around to get it done. How then do you make any progress on items that become your new top priority? Remedying the Situation – Your Security Roadmap CrowdStrike subscribes to a philosophy that places emphasis on a three-tiered approach to security. This philosophy is consistent within many security frameworks, including those taught in the SANS Institute Cyber Defense Curriculum. The basic strategy is simple and requires answers to the following questions:
- What is your most critical data and where is it stored?
- What are the biggest threats and risks to that data?
- Within your environment, what vulnerabilities would allow those risks to be realized?
- Identify or redefine your most critical data and assets (Every 6 months)
- Identify and assess your risks and threats to the most critical data (Every 2-3 months)
- Review and validate vulnerabilities in your critical assets that these risks expose (Every month)
- Determine if the risks outweigh the costs of remediation (Every day)
- Identify and implement associated mitigations for the highest unacceptable risks (Every day)
- Repeat