[BreachExchange] Enabling a Secure Business

[Audrey McNeil]

http://www.datacenterjournal.com/enabling-secure-business/

Organizations young enough to have begun with an understanding of how
serious cyberthreats are most likely built security into their systems. For
more-established companies, security must be added on after the fact. It’s
the difference between agile security and retrofitted, patchwork security.

Adding security solutions is certainly less expensive than ripping and
replacing the entire security framework—at least initially. But having
several different appliances that must be managed as one-off point
solutions makes the environment overly complex and adds costly overhead.
This situation raises the total cost of ownership and leaves a business
dependent on the vendor or vendors that sold the solution. Integrating
appliances that weren’t part of the design from the start will almost
certainly leave gaps that bad actors can exploit.

Security as an Afterthought

Business today moves quickly, and security has often been viewed as a
hindrance rather than an enabler. So, thus far, the possibility of a
security breach and the penalties that would follow has been less of a
concern than the possibility of slowing down the business with a strict
security protocol.

It’s a juggling act for IT-security teams: they must both make every part
of the architecture as safe as possible (reducing risk to an acceptable
level) and avoid slowing the speed and growth necessary for modern
businesses. This situation has existed for the entire digital age after the
Internet’s invention and quick adoption as a platform for outreach, sales
and marketing. Security was a secondary concern, and the only thing that
mattered was getting the business online.

The arrival of the cloud hasn’t changed this sentiment. Organizations
continue to focus on business, but now they’re just hosting their data on
someone else’s servers and relying heavily on that someone else for
security—sometimes to a fault. For example, in the Department of Defense
(DoD) AWS breach, security was only as good as the people implementing it.
The DoD had all the proper systems in place, along with its AWS hosts, but
a contractor left the S3 storage publicly accessible, allowing top-secret
data to be downloaded along with the system image for Linux-based virtual
machines.

Whereas traditional security infrastructure involved the creating a strong
perimeter, cloud computing, if not designed properly, is flat—enabling
unchecked lateral movement. The threat landscape is ever changing, and the
focus has shifted from keeping the attacker out (which, of course, remains
important) to “What do we do and how will we know if they’re already in?”

Strengthening Security

For business to grow but also be secure, the business conversation must
bring in security professionals as early as possible. Doing so will allow
them to lay out a plan that allows the business to grow but also stay
secure, making sure that all of the proper countermeasures are in place so
that as the company’s footprint increases on premises or in the cloud, the
attack surface remains as small as possible.

Best practices for robust security today include minimizing privileges,
monitoring and controlling interactive access, and treating all network
traffic as untrustworthy. Organizations must adopt a “zero-trust model” and
actively inspect all network traffic to validate the authenticity of user
activity.

Organizations can follow these basic steps:

- Limit the scope and rights of network access.
- Shrink the attack surface with patching and configuration control.
- Divide the networks into segments and reduce single points of failure.
- Build resilience so teams and products can recover quickly from incidents.
- Consider using end-point detection and response (EDR), an emerging
technology. It’s a category of tools and solutions that focuses on
detecting, investigating and mitigating suspicious activities and issues on
hosts and end points.
- Consider using network behavior anomaly detection (NBAD)—the real-time
monitoring of a network for any unusual activity, trends or events.
- Monitor cloud, app and database behavior to identify anomalies that can
indicate threats and compromise.

Make Time for Training

The stoutest defense system is no match for a careless or uninformed
employee. Start training employees on day one so they start thinking about
cybersecurity best practices. Security should matter to everyone, from the
admin to the CEO. This approach will build resilience into products and
teams.

Essential security-hygiene training includes the following:

- Create strong passwords and password-management practices and solutions.
- Look for calls from outsiders trying to obtain your information (social
engineering).
- Use caution when clicking links online and in emails.
- Make sure your software is up to date.
- Always back up your data in case of a ransomware attack.
- Make sure your antivirus software is up to date.
- Keep sensitive data secure and off your laptops and mobile devices.
- Don’t leave your devices unattended.

Security for All

Cybersecurity has become such a serious issue that C-level executives and
board members can sometimes be held accountable for network breaches. Newly
formed companies build security into their environment from the beginning,
but established companies don’t have that luxury. Instead, they’ve had to
piece their security strategy together, possibly leaving gaps that
criminals will exploit. In either case, adhering to the best practices
listed above will help all organizations better defend their networks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180613/9ebf09a0/attachment.html>