If you remember Aesop’s fable “The Tortoise and the Hare,” you learned a lesson that should apply to your cybersecurity strategy: Slow and steady wins the race. However, organizations that I speak with often follow the hare’s actions: sprinting followed by napping.
Many recent high-profile breaches happened because they followed the hare’s philosophy of working hard and fast up front and then resting. The companies made significant investments up front — based on misguided recommendations — and then napped when they should have been taking continuous actions to defend their networks. In my experience, far too often companies that provide security services or security products recommend organizations sprint by buying and deploying a plethora of security technology devices or services to guard their networks. I call this misconception “one and done” as so many people think just because they have bought one “special” device or a few devices, they’re done, they’ve taken care of their security needs. To the contrary, security is an evolutionary process, and there is no revolutionary product or combination of products that will keep a network secure.
Investing in security technology alone presents a false sense of security. People think their network is secure because they bought a product or service, and then they rest. You can’t rest. You need to consistently monitor and analyze your network and invest in training and evolving. Just as threats from the bad guys continue to evolve, so must your technology and the ways you approach security. Remember the classic cartoons and stories of a sleeping sentry who is comically evaded by a crafty intruder. Like that sentry, you too may want to rest, but thieves are working around the clock 24/7 to break into your network, so you must keep moving ahead in a strategic fashion.
The best course of action is to take measured steps rather than purchasing devices and services haphazardly. As we learn early in life - you can’t run when you can barely crawl. In my plan “Crawl, Walk, Run,” I lay out the steps for midsize organizations to create a business culture of enduring security protection. This strategy also allows you to plan a prudent investment strategy over time to manage your cash flow while mitigating risks to your business.
Basic security needs to be laid down first:
- Monitor your firewalls - This first level of detection is to ensure you have an internal team or security provider monitoring your firewalls. Most compromises can be detected simply by monitoring the activity on the network perimeter – all day and all night.
Invest in an Intrusion Detection/Prevention System (IDS/IPS) - this helps tremendously to block perceived threats.
Having a firewall is not enough. Even if you have an appliance that is a mixture of a firewall and an IDS/IPS, you still need a separate layer of IPS/IDS protection behind your firewall. You also must place a network IDS/IPS at all possible points of entry to your network, a host IDS/IPS on your most valuable servers to prevent intrusion and a wireless IPS to prevent attacks that use your wireless Internet connection.
Test your network on a defined schedule - Conduct frequent tests to gauge the effectiveness of your security strategy. Midsize companies should conduct a Penetration Test at least twice a year to see how secure your network is, but quarterly is ideal. Test results will show what systems are insecure so you can make necessary adjustments to strengthen your network. Vulnerability Assessments is a deeper inspection into your network architecture that is also very effective and worthwhile.
- Have a response plan for the inevitable Security Incident - Purchase an Incident Response Retainer with a security services provider to guarantee swift reaction when you are breached. Having a retainer in place saves valuable time for remediation. You don’t want to waste time negotiating contracts while under siege. Trying to onboard a new vendor during a crisis will waste valuable time. The cost of hiring an incident responder who is not on a retainer can go as high as $400 an hour. Many IR companies have full schedules, and it may cost more to make your case a priority. If you are on a retainer, your cost is less and you are automatically a priority.
- Security Awareness Training – Most breaches these days are due to a non-vigilant employee. Annual testing does not produce vigilant employees. A culture of security knowledge and comprehension does. Develop a comprehensive security training program that teaches and tests your employees every day.
- Monitor your servers, routers, switches and endpoints (servers, workstations and laptops) 24/7 in real-time - No threat prevention device or software is fail-proof. Most antivirus is proving less and less effective over time. The sooner you discover a threat has entered your network, the easier it is to remediate the threat and lock down perceived vulnerabilities. The longer threats stay in your network, the more difficult and costly it becomes to remove them. No threat prevention solution works 100 percent of the time. Attackers can break into your network by entering your website or by sending phishing emails that contain malicious links or attachments to your employees. Service providers can monitor endpoints in real-time and contact you within minutes of seeing the threat to tell you exactly where the threat is located.
- IT audit (also called an Automated Data Processing (ADP) audit – This audit examines management controls of an organization’s IT systems. The audit assesses controls over the network, logical access, physical access, disaster recovery, application change management, operations and related processes to determine whether your system is safeguarding your assets and operating effectively to achieve company objectives.
- Risk assessments – These explain whether a business is vulnerable to lose money. For example, it looks at what the risk is of a computer system shutting down and how much that would cost. To do risk assessment properly, your assessor must understand technology, business, finance, compliance and the ways a company will achieve ROI. That way, the assessor can let you know what weaknesses could harm your business the most and which systems are most important to fix.
- Web app testing – Thistests the security of your company’s applications. Practically all applications have security vulnerabilities, or holes. Attackers finagle their way into your network via the holes in your company’s applications.
- Revisit your Computer Security Incident Response Plan (CSIRP) - Conduct quarterly table-top exercises, making updates as you go. Discuss what worked and didn’t work, and develop areas in the plan that are lacking. Having a CSIRP in force can make the difference between your network being offline for days or just hours. If there’s an incident, it won’t be just a technology issue as there are legal and financial implications to a breach, so business executives will need to be present in the planning.
- Conduct Managed Phishing exercises to test the effectiveness of your Security Awareness training program. – This is a fully managed testing, analysis and reporting to see how employees respond to simulated phishing attacks. Employees are often the weakest link in your organization’s security program and are often conned into clicking on links or attachments that unbeknown to them are malicious. This way, you can see which employees need to be more careful and you can teach them the error of their ways.
- Advanced Threat Preparedness Assessment - Once you’ve discovered where you’re most vulnerable, it’s time to fix those areas. Connect with an incident response provider to conduct and to evaluate your organization’s ability to detect, resist and respond to a targeted or advanced threat, including an Advanced Persistent Threat.
- Real-time monitoring of mobile devices - You can get real-time reporting (device and application inventory, asset location, groups/users and related policies) as well as compliance alerts so you can see who is and isn’t abiding by policies.
- Red Team Testing - Finally, it’s time for the pièce de résistance. Red Team Testing is when you hire an outside security organization to provide cyber-attack simulations using real-world tactics, techniques and procedures. The Red Team poses as a group of white-hat hackers that attack—without harm—your digital infrastructure to see how far they can get inside your network. This allows an organization to see how far a real hacker could get in its organization and to close up vulnerabilities before that occurs.
When you complete the run stage, it’s like having a black belt in cybersecurity. However, to stay ahead of attackers your security practice should never end. You must still keep going to outrun your attackers. Slow and steady.
You start by covering the basic security needs and get you on your feet until you can run. It’s no sprint, but if you stay the course, you’ll end up so far ahead of the cyber-thieves they may leave you alone to find easier prey.
Jeff Multz is Director of Midmarket North America at Dell SecureWorks. Dell SecureWorks, a global information services security company, helps organizations of all sizes reduce risk, improve regulatory compliance and lower their IT security costs. For more information on securing your organization, please contact [email protected].