Implementing cybersecurity can be a lot like the cluttered homes Marie Kondo has turned from messy to ones that inspire joy. Whether you’re a Marie Kondo fan or not, she makes you realize that at some point the ‘stuff’ you have is ruling you instead of vice versa.
In security, many organizations are ready for a Marie Kondo experience. It is very rare that IT and security teams get the chance to start over with a clean slate and design an ideal, elegant cybersecurity defense. Invariably an existing security infrastructure will be a collection of different technologies, some of which were designed for a one-off need that may no longer be present. Every time a new issue arises, IT looks to existing security solutions to determine whether they can provide a solution or tries to find something else to cover that gap.
When organizations add each of these components, they can create unnecessary clutter, confusion and cost. Before adding components, organizations would be advised to use a Marie Kondo practice and first discard software or applications that no longer serve a purpose. This paves the way for a security infrastructure that correctly focuses on critical issues and does not burden IT staff with applications that provide little value.
Defense-in-Depth or Expense-in-Breadth?
As security teams begin this de-cluttering exercise it should inspire them to evaluate whether they’re really achieving defense-in-depth or just expense-in-breadth.
How do you get from clutter to a more nimble, lean security infrastructure? The CIS Controls™ from the Center for Internet Security are a great model. This prioritized list of actions collectively forms a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.”
Developed by a community of security experts, the CIS framework acknowledges the wealth of security tools and technology that are available to security practitioners and identifies the resulting “fog of more” that can be overwhelming and can distract organizations from taking the necessary decisions to achieve basic security fundamentals.
In total, there are 20 controls which are set out in a prioritized manner with the first six controls, known as the basic controls, providing cyber hygiene. The message from the CIS is that if you start at the top and work your way down, with each step along the way, you are maximizing your impact on improving your security posture. There is a very logical flow to the list and the top six in particular. Similarly, in Marie Kondo language, it’s important to follow the right order.
1. The first control is the inventory and control of hardware assets. If IT staff doesn’t know it exists, IT staff can’t secure it. So, step 1, discover what’s in the organization’s environment.
2. The second control is the inventory and control of software assets. Once IT knows what hardware is in operation, next is understanding what software is running on the hardware. Technologies like application control or application whitelisting have a big part to play here in threat prevention, ensuring that only trusted applications are allowed to run.
3. The third control is continuous vulnerability management. Once existing software applications have been identified, these applications will inevitably have ongoing vulnerabilities, so it is imperative to continuously scan and remediate these vulnerabilities.
4. The fourth control is the controlled use of administrative privileges. Administrative privileges provide attackers with a way to gain access and introduce malware inside an enterprise. When an attacker gains access to a system, typically by exploiting an unpatched vulnerability, they can do a lot more damage and navigate with ease through the network if they have administrative privileges. Therefore, limiting privileges is essential to threat prevention.
5. The fifth control is to implement a secure configuration for hardware and software on mobile devices, laptops, workstations and servers. Default configurations for applications and operating systems are designed for ease-of-deployment and ease-of-use rather than for security. However, these configurations often make systems easier to exploit so the settings need to be adjusted to make them secure. Systems also need to be scanned regularly to ensure they haven’t deviated from these secure configurations as new software is added and patches applied.
Originally, only the top five controls were required for cyber hygiene, but the sixth control, maintenance, monitoring, and analysis of audit logs, is now also included in the set of basic controls in recognition of the need to capture information to help detect, understand, or recover from an attack.
No Fog, No Clutter
Whether it’s a home in need of a Marie Kondo de-clutter or an organization’s security infrastructure burdened with inefficient, costly tools and lack of controls, the solution is to start by following a logic flow. Using the CIS framework enables enterprises to evaluate their existing security infrastructure to identify where they have coverage or where there are gaps that need to be filled.
Armed with this knowledge, enterprises stand a much better chance of navigating the “fog of more” and getting to the destination of a solid security foundation. Marie Kondo talks about keeping only items that provide joy. For organizations, joy will be found in a lean, effective, security infrastructure.