[BreachExchange] How to Achieve an Optimal Security Posture

[Destry Winant]

http://www.esecurityplanet.com/network-security/optimal-security-posture.html

The perfect IT security solution is one that makes an enterprise
completely secure and "unhackable," where no unauthorized parties can
get onto the network, access confidential data, deny service to
legitimate users, or otherwise carry out any malicious or unwanted
activities.

Unfortunately, there's no such thing as total or complete security. In
part that's because there will always be a malicious actor such as a
nation state with more resources to devote to hacking than an
enterprise can devote to defending itself, according to James Lewis, a
cybersecurity expert at the Washington, D.C.-based Center for
Strategic and International Studies (CSIS). "It is simply not possible
to beat these hackers," Lewis says. "Government-backed hackers simply
won't give up. They will keep trying until they succeed."

And that means that IT security ultimately boils down to security risk
management: using the available IT security budget to build not a
total or complete security system, but an optimal one that minimizes
the chances that a damaging security breach can occur – and can
minimize the damage if a breach does occur.

So given the current state of security technology, how do you develop
an optimal security posture within the constraints of a normal
security budget – which is, on average, about 5.6% of the total IT
budget in most organizations (source: Gartner)?

The precise makeup of an optimal IT security posture will vary from
company to company, but here are some general guidelines.

Know what you have to defend

The first step in building the best possible security solution is to
understand exactly what IT infrastructure you have to defend. "The
smartest thing is to do a comprehensive asset inventory and network
definition exercise so you know every device and technology you have
and where your network extends to," said Chase Cunningham, a security
and risk expert at Forrester Research. "Only then can you decide
exactly what it is you want to defend."

Decide what needs protecting

A typical enterprise IT infrastructure will include one or more
networks, servers, desktop and mobile endpoints, applications, data,
and perhaps even external Internet of Things (IoT) devices. "What you
need to do is figure out what is required to defend this with the
minimum investment," said Cunningham. He believes that the best
starting point is a vulnerability and patch management system. "If you
can't patch, then you can't defend and you can forget anything else,"
he said. "Ultimately, if you suck at patch management, you suck at
security."

Of course, it takes much more than a vulnerability and patch
management system to secure networks, devices and applications - not
least because they can do nothing against zero-day attacks using
previously unknown vulnerabilities.

So the next step then is to defend the network perimeter, using
identity and access management systems, which are intended to restrict
network access to authorized users and to restrict those users to the
resources that they are authorized to use.

These are best used in conjunction with multi-factor authentication
systems, which use a one-time password (generated by a portable
hardware device or smartphone software, or sent to a cell phone by
SMS), a biometric measurement such as a fingerprint or voice print, or
some other second factor in addition to a standard password.

These can be reinforced using a network access control system, which
restricts network access to authorized endpoints with prescribed
security configurations (such as running an up-to-date anti-virus
product).

Find and protect your data

The next step, according to Cunningham, is to identify your
organization's valuable or confidential data, or data that needs to be
secured for regulatory compliance reasons, and take steps to defend
it. "It is very simple: find your data, value it, and keep it safe,"
he said.

Although it is tempting to start with technical solutions, it is
important to remember that a high proportion of data breaches are the
result of social engineering or phishing attacks: Verizon's data
breach investigation team reported recently that 90% of data breaches
have a social engineering or phishing component to them. These allow
hackers to bypass security systems by tricking employees into giving
them passwords or other information that they need to breach the IT
infrastructure.

That means that staff training to raise awareness in phishing and
social engineering dangers and to reduce the risk of falling victim to
such attacks is vital. These can be complemented by anti-phishing
training tools, which are designed to keep employees' awareness of the
risks of phishing emails high. They work by sending out fake phishing
emails to employees from time to time to see whether they can be
enticed into clicking on malicious links. Employees that do so can
then be given more training to help them avoid real phishing emails in
the future.

But the basic technical solutions include a comprehensive, centrally
managed endpoint security system that includes anti-malware software
(and ideally specific measures to stop ransomware). These often also
bundle other specific data protection solutions such as encryption and
data loss prevention.

Data loss protection is often underestimated, but it can be very
effective at countering insider threats. For example, a good data loss
prevention system should be able to prevent an employee who is leaving
the company from downloading confidential data, customer lists and
other valuable data onto a USB stick and taking it with them to their
next employer.

Mobile security

A relatively new area of concern for IT security professionals (thanks
to the rise of Bring Your Own Device, or BYOD) is the use of
employee-owned devices on the network, and some form of BYOD security
system is vital.

Ideally, this would take the form of a comprehensive enterprise
mobility management (EMM) system that can manage both corporate and
employee-owned mobile devices (including laptops, tablets and
smartphones). EMMs go beyond mobile device management (MDM) solutions
by controlling access to corporate networks and applications, ensuring
that devices are locked with strong passwords when not in use,
encrypting any corporate data stored on them, and carrying out remote
data wipes in case the devices are lost or stolen, among other control
and visibility features.

Internet of Things (IoT) security

One more area that is worth mentioning because it is becoming
increasingly important is IoT security. IoT endpoints (or "things")
are generally used as data collection points. This data is then sent
over a network to an IoT platform ingestion point where the data is
collected, processed and used in real time or stored.

IoT security systems carry out a range of functions, such as detecting
when IoT devices are tampered with and encrypting collected data both
in motion and at rest on a dedicated IoT platform.

Cloud security

Enterprises are increasingly making use of cloud services outside the
corporate network, and any that use need some way of ensuring that
they can be used securely and that data stored in the cloud is safe.
One way to reduce the risk introduced by cloud services is to use a
cloud access security broker (CASB) which can set policy, monitor
behavior, and manage risk across the entire set of enterprise cloud
services being consumed.

Examples of security policies enforced by a CASB include
authentication, single sign on, authorization, credential mapping,
device profiling, encryption, tokenization, logging, alerting, and
malware detection and prevention.

A CASB vendor also gives enterprises visibility into authorized and
non-authorized cloud usage. It can intercept and monitor data traffic
between the corporate network and cloud platform, assist with
compliance issues, offer data security policy enforcement, and prevent
unauthorized devices, users, and apps from accessing cloud services.

Distributed Denial of Service (DDoS) attacks

About 80% of organizations faced DDoS attacks in 2016, according to
Neustar, and successful attacks cost the victim an average of $2
million. 45% of attacks are now more than 10 Gbps and 15% are now more
than 50Gbps, so it is now impossible for most organizations to cope
with these attacks using their own network resources.

For that reason, it is important to have a DDoS mitigation plan and
service in place with a clear process for contacting the service to
start mitigation in case of an attack.

DDoS mitigation services are usually run from the cloud, and
mitigation generally involves diverting all traffic (including
malicious traffic) to the service, where it is scrubbed. Legitimate
traffic can then be forwarded to the intended destination servers.

The big picture: firewalls, threats and SIEM

What's not been mentioned yet are the big-ticket items that may
consume a large part of a security budget and are mainstays of a
corporate security posture. These include a standard network firewall,
or as is increasingly common, a next generation firewall (NGFW). An
NGFW goes beyond blocking ports or protocols to perform stateful
packet inspection right down to the application layer, allowing the
device to block packets that are not matched to known active
connections, to block unwanted application traffic (rather than
traffic on specific ports) and to close network ports all the time
unless they are actually in use, which provides some protection
against port scanning.

Increasingly NGFWs include intrusion prevention and detection
functionality, although these may also be purchased as standalone
products.

In many cases, intrusion prevention and endpoint protection systems
rely on the availability of threat intelligence feeds that provide
information about emerging threats, such as signature activity that
can indicate a particular threat is present.

Application firewalls are also often necessary if your company
operates internet-facing applications. An application firewall
monitors incoming traffic to block certain types of content, including
attempts to carry out SQL injection attacks using deliberately
malformed queries.

One final big ticket item that is becoming increasingly important is a
security information and event management (SIEM) system, which can
monitor logs from network hardware and software to spot security
threats, detect and prevent breaches, and provide forensic analysis
after a breach. A SIEM can also generate reports for compliance
purposes. A SIEM is the technology that can tie all your security
efforts together.

Think like a hacker – and test

Once an overall security solution is in place, the best way to find
out how effective it is at preventing a breach is to subject it to
penetration testing. Also called vulnerability assessment and testing
or "pen testing" for short, this involves a simulated attack on your
organization's network to assess security and determine its
vulnerabilities.

These "white hat" attacks carried out by security professionals are
designed to identify network security issues and other
vulnerabilities, identify policy compliance failures, and improve
employee awareness of proper security practices.

Preparing for a breach

Since the ideal security solution does not exist, that means there is
always a risk of a security breach, and organizations should prepare
for one to ensure that damage can be limited by planning an incidence
response process.

This should include preparation, identification, containment,
eradication, recovery and learning from the incident, according to
SANS Institute recommendations.

One final measure that can be taken as part of a risk management
process is the purchase of cyber insurance to mitigate the financial
costs of a breach. These costs should not be underestimated: the
average cost of a data breach in the U.S. is $221 per record, or $7
million per breach, according to the Ponemon Institute's Cost of Data
Breach Study.

Organizations have many IT security solutions to choose from. An
assessment of your most critical vulnerabilities is a very good place
to start to determine which of your assets are the most valuable, and
then begin to protect them. We offer comprehensive security product
overviews in our security products section.