Friday, December 13, 2019

Foundational Cyber Security Work Items


Cyber leaders have to prioritize. Yet, every vendor wants to convince the audience that their sizzling hot product should be the priority – even if the significant prep work needed for success remains unsaid.  We’ve also confused the balance of compliance with what is required to actually secure an organization.




And we wonder why even big name organizations get breached. 

If you are in a highly regulated industry or the government, your focus may have to be elsewhere but If you are in a lesser regulated industry and interested in security vs compliance, here are some completely unsexy fundamental work items that would fit most organizations …


Firewalls: Still a thing. Ensure that firewall settings are what you expect and within your organization’s standards. If you don’t have standards, write them. This is a fundamental task. Close all unneeded ports. Strongly consider adding HTTP web filtering if you don’t have it. 

AV: Also still a thing. Make sure that you have a modern AV that has 100% coverage. 

Inventory:  You need to know what 100% coverage means. This should be more than an inventory of your assets. You should start an inventory of your known vulnerabilities and backlog of work items as well. 

Cyber Maturity Assessment And Pen Test:  Just get these done.  You'll need them to properly set expectations with the Board and execs as well as to provide a roadmap for work after you get  the foundational work items complete and your choices for focus start to expand exponentially. 

Email Controls: Malicious email dominates the percentages as an attack vector. Reviewing gaps and putting the controls in place to protect against malicious emails would be an initial work item. DNS filtering particularly against new brand new domains is a key control.  

Privilege Control: Malware isn’t magic. It largely depends on privileges to move laterally and cause damage.  Aggressively managing privileges would be good to have high on the list. If you really want machine learning to work in your environment, the prep work includes getting control of privileges so that the machine learning has a real chance of success. 

Patching: Formalize vulnerability management enough to ensure that systems and third party applications are being patched is high on the list. 

Logs and Alerting: Improve observability through logs and the ability to alert in high fidelity ways would be high on my list. 

Incident Response: Build out a general capability and plan initially and develop more specific playbooks over time. Compare your responses against your plan and playbooks after each response. Note any gaps in capability and fill them. My gaps from 2018 included things like “we couldn’t quickly delete malicious emails across all mail servers quickly enough” and later found tools that filled those gaps. The justification was compelling to execs largely because they were findings from previous incidents.

Critical Vulnerabilities: You have to "stop the bleeding" immediately for any truly critical legacy vulnerabilities. Not everything initially, just the really egregious things.

There is a lot of work just in the above. Real security is more than checkboxes. 

After these fundamentals are in place, start to prioritize based on your organization’s particular risks as well as deal with mitigating high priority legacy risks. There was over a year of work in the above list for our financial services organization.

Everything else is largely just noise if your priority is securing your network. Get the above items done right and in the rear view mirror. By doing so, you’ll give yourself the time, space, and distance needed to perform real capability building and deepen compliance requirements because you’ll have minimized the opportunities for disruptive events to occur and can respond quickly if they do. 

Focus.  Prioritize. Build. Comply.


Like what you've read enough to follow me on Twitter? @Opinionatedsec1.


SEE ALSO





No comments:

Post a Comment