Cyber
leaders have to prioritize. Yet, every vendor wants to convince the audience
that their sizzling hot product should be the priority – even if the significant
prep work needed for success remains unsaid.
We’ve also confused the balance of compliance with what is required to
actually secure an organization.
And we wonder why even big name organizations get breached.
If you are in a highly regulated industry or the government,
your focus may have to be elsewhere but If you are in a lesser regulated industry
and interested in security vs compliance, here are some completely unsexy fundamental
work items that would fit most organizations …
Firewalls: Still
a thing. Ensure that firewall settings are what you expect and within your
organization’s standards. If you don’t have standards, write them. This is a
fundamental task. Close all unneeded ports. Strongly consider adding HTTP web filtering
if you don’t have it.
AV: Also still a
thing. Make sure that you have a modern AV that has 100% coverage.
Inventory: You need to know what 100% coverage means. This
should be more than an inventory of your assets. You should start an inventory
of your known vulnerabilities and backlog of work items as well.
Cyber Maturity Assessment And Pen Test: Just get these done. You'll need them to properly set expectations with the Board and execs as well as to provide a roadmap for work after you get the foundational work items complete and your choices for focus start to expand exponentially.
Cyber Maturity Assessment And Pen Test: Just get these done. You'll need them to properly set expectations with the Board and execs as well as to provide a roadmap for work after you get the foundational work items complete and your choices for focus start to expand exponentially.
Email Controls: Malicious
email dominates the percentages as an attack vector. Reviewing gaps and putting
the controls in place to protect against malicious emails would be an initial
work item. DNS filtering particularly against new brand new domains is a key
control.
Privilege Control:
Malware isn’t magic. It largely depends on privileges to move laterally and
cause damage. Aggressively managing
privileges would be good to have high on the list. If you really want machine
learning to work in your environment, the prep work includes getting control of
privileges so that the machine learning has a real chance of success.
Patching: Formalize
vulnerability management enough to ensure that systems and third party
applications are being patched is high on the list.
Logs and Alerting:
Improve observability through logs and the ability to alert in high fidelity
ways would be high on my list.
Incident Response:
Build out a general capability and plan initially and develop more specific
playbooks over time. Compare your responses against your plan and playbooks
after each response. Note any gaps in capability and fill them. My gaps from
2018 included things like “we couldn’t quickly delete malicious emails across all
mail servers quickly enough” and later found tools that filled those gaps. The
justification was compelling to execs largely because they were findings from
previous incidents.
Critical Vulnerabilities: You have to "stop the bleeding" immediately for any truly critical legacy vulnerabilities. Not everything initially, just the really egregious things.
There is a lot of work just in the above. Real security is more than checkboxes.
After these fundamentals are in place, start to prioritize
based on your organization’s particular risks as well as deal with mitigating high
priority legacy risks. There was over a year of work in the above list for our financial services organization.
Everything else is largely just noise if your priority is securing
your network. Get the above items done right and in the rear view mirror. By
doing so, you’ll give yourself the time, space, and distance needed to perform
real capability building and deepen compliance requirements because you’ll have minimized the opportunities for disruptive
events to occur and can respond quickly if they do.
Focus. Prioritize.
Build. Comply.
Like what you've read
enough to follow me on Twitter? @Opinionatedsec1.
SEE ALSO
No comments:
Post a Comment