Cloud/Data Security - The Need to Prioritize
The narrative around data protection and security services is consistent and is seemingly everywhere you turn. More advisories, more complex and covert attacks, increasing demands on internal IT, lack of skilled people, applications in the cloud, SaaS apps, and legacy apps on-premise, often an incomplete set of protection tools, and many other difficult scenarios. It’s a tough world out there for a Chief Information Security Officer, and not a surprise why the average tenure of a CISO within a company is 4.5 years according to Forrester. The CISO needs to first set expectations internally that any network can be breached, but also when struggling with the stark reality of being outmanned, how to leverage the people and funds that ARE available to put them to the best use. Think William Wallace and the Scottish militia against the English in the movie Braveheart...
The CISO, perhaps more so than his or her peers, is forced to compromise and prioritize. Invest in the greatest possible returns of dollars spent and risk reduction and avoid the temptation to invest in the “next great security tool” before the following elements are in place. My list:
Endpoint Security - According to Cisco, 70% of breaches start at the endpoint. Select/deploy a top-tier endpoint protection solution, not a basic Antivirus, and ensure it is actively managed. The first part of this is very common, the second is not. No tools run themselves, and the endpoint that is accessing data and can be used as a host for an attacker. Oversight for policy updates, endpoints that haven’t been updated, reporting of potentially harmful activities are elements that a sound endpoint practice should cover. See blow blog post from Cisco outlining the value of machine learning in their advanced threat solutions: https://blogs.cisco.com/security/how-we-apply-machine-learning-in-cisco-advanced-threat-solutions
Next Generation Firewall (NGFW) - These are not your father’s firewalls. The network perimeter firewalls of today are running rich feature sets and doing so without taxing the processing power of the appliance or virtual server as was the case 5-10 years ago. The analogy I have used is that the firewall is akin to showing a picture ID - - simple/fast verification that the picture is me and my name is what is on the license. Based on that, accept or reject. The NGFW, those running advanced intrusion prevention features are akin to going through the TSA-Pre process of background checks and finger printing. Not only was my name and photo provided, but other characteristics and data points about me are taken into account for decisions on allowing my entry. The NGFWs of today can work through this process on high volumes of data at relatively low costs.
Know Your Data - the “Identify” segment in the NIST Security Framework: Identify - Protect - Detect - Respond - Recover. Often overlooked, the foundational task of identifying data, classifying the data by sensitivity, and establishing policies around the data. This is not an easy task, nor is it one that can be completed once - - it’s a disciplined, ongoing project that establishes the foundation for a security program.
Cloud Governance & Security - the largest cloud provider and partner of ours, AWS coined the “Shared Responsibility Model” for data security in their cloud. In short, this simply means they are responsible for the security OF the cloud, and the user/customer is responsible for data security IN the cloud. The customer is responsible for their own configurations, settings, templates, etc. Despite experiences personnel, mistakes can be made. Enter Cloud Security and Governance tools. Our company has Cloud Security services to identify and report on possible security holes based on the configurations. These are highlighted by severity, so we help customers tackle the most critical holes first.
Vulnerability & Risk Management - Patching of servers for updated versions of OS is simple in theory, more challenging in practice. Urgent activities competing for time, short change windows, lack of staffing, inability to take downtime or perhaps lack of process, all contribute to the challenge. Vulnerability scanning is an important element of IT hygiene. Like oral hygiene, the process is about as pleasurable as going to the dentist. Following the weekly or monthly scan, the results outline the work to be done - - the amount of servers running versions of software that have vulnerabilities, those which the attacker is looking for. Just yesterday I saw a ticket that our team handled where an attacker from an IP address in China was scanning one of our customer networks looking for SMB network gear from D-Link that had vulnerabilities that could be breached. From there the attacker could download a script to the D-Link router to execute the next level of the attack - - such as stealing admin passwords, refreshing the firmware or installing rogue services.
Cloud Security - for anyone that’s been to San Francisco lately, all you have to do is look at the new Salesforce Tower to see that the world of applications in a SaaS model, one that they helped explode, is growing incredibly fast. More users of more companies are accessing applications in a SaaS model, like O365 or Salesforce, and are doing so outside of their networks. They’re remote users, connecting from home, the airport, coffee shops, commuter trains and so on. In many cases, they are not going through their network VPN, they’re connecting directly to the SaaS provider with their login credentials. Using cloud security tools require the Domain Name Services (DNS) of the user to be screened real time even when they’re off of the network for DNS enforcement and URL and file inspection. These solutions are low cost and very high value.
Threat Detection - ISC(2) estimates the number of unfulfilled security jobs will rise to 1.8M by 2022. Trying to deploy tools for threat monitoring - - gathering data from the various protection tools (some mentioned above) and network/server/application data - - and staff a Security Operations team is rarely cost effective. The market of Managed Security Service Providers (MSSPs) is growing fast for this very reason. Look for a company like Pinnacle, who specializes in the protection of data and detection of threats and can provide a more economically-feasible solution while delivering enterprise-class tools and highly trained security professionals. This process is a combination of leveraging exception tools, well configured and managed, fed by critical threat feeds, tuned and automated and then leveraging consistent process for incident scoping by trained professionals who are Certified Ethical Hackers.
The landscape of tools and vendors is daunting. There are so many options and so many products/tools that overlap, which makes it easy to overspend. Take a step back and focus on the most impactful elements of the portfolio. Execute those at a high level and stay consistent. From there layers can be added.