APRIL QUESTION TO OUR EXPERT PANEL MEMBERS:
If you have to choose three essential security practices that an organization must adopt to avoid IT security breaches, what will you choose and why?
RESPONSES
Professor John Walker | @SBLTD
In this current cyber-storm of successful security breaches, the three practices I would include are:
- Deploy the capability to leverage Cyber Threat Intelligence to monitor for any noise which may infer or suggest the corporate brand is focus of adverse interest by hacker or criminal communities.
- Enable an enterprise wide CSIRT Framework to underpin the management of Incident Response across the organisation.
- Provision a level of Digital Forensics capabilities and skills to provision support for any investigation which the organisation conducts.
The absolute bottom line is to accept that a breach has, or will occur, so the importance of a reactive security profile is essential.”
Claus Cramon Houmann | @ClausHoumann
Using the wisdom (I hope it is, anyway) that I preach at conferences, which is similar to statistical studies of where different NBA teams take respectively make their shots, you should defend where breaches occur, I will try to outline 3 security practices that can make a difference.
- The first and foremost will always be getting security within an organization put in the right frame, with the right strategy (this includes a budget) for each company – bring security to the Board of Directors level and create a strategy for how your organization will handle security. There are so many reasons for why security must be discussed at this level, and the reasons are multiplying every day with things like mandated breach disclosure coming in the EU soon.
- Block the attacks that work for the bad guys – which are mainly spearphishing and waterholes. If at this point you’ve got Microsoft computers and you’re not running EMET or similar in production, you’re probably doing something wrong. EMET can give interesting errors and you’ll need tailored profiles, but it’s so worth it. Supplement EMET with other solutions that work and you’ve made a difference.
- So we’ve covered strategy and prevention, if we supplement this with something in the detection realm, we’re covering most of the bases. For detection I’d recommend Network Security Monitoring (NSM) – shining the spotlight on your networks, knowing what’s going on and detecting the anomalies that do occur before too much business critical information gets exfiltrated or the bad guys plant too many persistence mechanisms.
Charles Sweeney | @bloxx
Companies are often told to prioritise their security spend – however this is one of those things that is easier said than done. The best way of ensuring you remain secure is a robust, 360 degree policy.
However, if I had to recommend just three essential security practices, firstly I would recommend that organisations of any size actively monitor what data is being accessed via the web in real-time. Secondly, they need to be clear about what the security challenges of personal devices are for the corporate network. These will differ for each company.
And lastly, employees are the greatest line of defence against hackers – be sure that you engage with them regularly about potential ramifications of their actions. And make it real, tangible – sometimes the size and scale of breaches can make them impossible to comprehend. Make it relatable and staff will better understand why their actions matter.
Neira Jones | @neirajones
- Why Hack When You Can Phish? The 2015 Verizon Data Breach Investigation report is, similarly to previous years, very clear on the subject! Just use the right technology to filter emails and also to prevent dangerous exfiltration, but first and foremost, train your staff to recognise such attempts, especially if they are in sales, marketing or customer service, as after all, it is their job to be responsive, and of course, open emails… And don’t forget social media, criminals are now savvy enough to perform phishing attacks using these channels. Most of the breaches in recent years originated with phishing attacks.
- Life is 10% what happens to you and 90% how you respond to it… Let’s face it, data breaches are inevitable. But, panic not, it’s not the end of the world! The quicker you respond to a breach, the less damage will be inflicted. Incident response should be top of the list for all organisations. Involve all your stakeholders as it’s not just an IT problem. And test that incident response plan regularly, the earlier you stop the criminal in the cyber kill chain, the better.
- If you know the enemy and know yourself you need not fear the results of a hundred battles… I’m not generally one for quoting Sun Tzu, but this one seemed particularly apt! There is not enough sharing and cooperation in the field of cybersecurity, whilst criminals are highly organised and efficient. Threat Intelligence has become a necessity and there are many worthwhile initiatives organisations should participate in. Cooperation within industries, across industries and with law enforcement and technology companies is one way of thwarting the tidal wave of cybercrime faster.
Brian A. McHenry | @bamchenry
Avoiding a breach may be a less realistic goal than building an infrastructure able to identify and mitigate a breach in as close to real-time as possible. The three most vital practice areas to achieve a goal of lower risk of data breach and better response time are:
- Instrumentation
- Identity
- Automation
Instrumentation encompasses the practice of effective log aggregation, correlation, and management. Good instrumentation assumes firewalls, sensors, application servers, and other technologies are in place and generating log data. Security practitioners tasked with building good instrumentation will often start with identifying robust SIEM and threat analysis tools. However, they must also have the discernment to configure the log output from the inline systems and sensors, ensuring that the noise output from those technologies doesn’t overwhelm the capacity to analyze that data in a meaningful way. Good instrumentation enables security practitioners to rapidly identify attacks and data loss, and just as critically, identify new or emerging patterns in threat traffic. The latter is a proactive practice enabling more effective anticipation and adaptation of the security posture.
Identity is the means by which the security practitioners can meaningfully control access to data. Whether access is local or remote, via trusted or untrusted networks, reliable assertion of identity is the key to access management decisions. Strong authentication of identity encompasses multiple disciplines including multi-factor authentication, authorization, single sign-on, identity federation, and more. Effective identity and access management also feeds better quality log data, enabling better forensics, auditing, and risk assessment. An emerging challenge for the identity management team is enabling strong authentication that doesn’t compromise application usability, which affects application adoption.
Automation is the practice enabling the effective use of analytic data gathered by good instrumentation. If the log analysis yields great insight into ongoing attacks and emerging threats, but the infrastructure is too rigid to adapt a new security posture, then the ability to respond in a timely fashion is compromised. The automation team must possess skills for integrating security into the software-defined network (SDN), by leveraging programmable API’s of security technologies. Scriptable actions can adapt network paths or alter security policy automatically based on threat analysis. Through programmability, the security posture becomes more adaptable and quicker to respond to threats as they are identified, with less potential for human error. The security automation engineer must be adept in scripting and API integration, maximizing the value of the diversity of firewall, SIEM, analytics, SDN, and other solutions.
These three practice areas are symbiotic, each practice potentially strengthening the other. While there are many other security practices, Instrumentation, Identity, and Automation are three pillars forming a strong foundation for the security team in any organization.
To find out more about our panel members visit the biographies page.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.