[BreachExchange] 4 Reasons to Take an 'Inside Out' View of Security

[Destry Winant]

https://www.darkreading.com/cloud/4-reasons-to-take-an-inside-out-view-of-security/a/d-id/1334117

When you approach security from the inside out, you're protecting your
data by determining the most vital applications and using a risk-based
strategy, which focuses on the most valuable and vulnerable assets.

Sun Tzu, the famous military strategist and philosopher, once said,
"If you know the enemy and you know yourself, you need not fear the
result of a hundred battles."

This quote from two millennia ago could not be more pertinent to
today's cybersecurity landscape. Too often, security leaders — across
the private and public sectors — neglect the essential questions
regarding the cyber defenses and capabilities they already have. In
the cybersecurity realm, this boils down to asking, "Do I know my
inside controls are working like they're supposed to be working? How
is our cyber hygiene?"

Understanding inside weaknesses and vulnerabilities is more important
than ever. During periods of company inactivity — like the most recent
government shutdown for example — organizations are especially prone
to data breaches. Security certificates can expire during those times,
leaving agencies weaker and more vulnerable to a number of threats.
Security teams also lose time for essential tasks because of loads of
backlogs to sift through.

To truly prepare for the cyber threats, it's crucial that
organizations start operationalizing a view of security from the
inside out while focusing on cyber hygiene right at the heart.

Cyber Hygiene at the Heart
Traditionally, companies tend to manage cybersecurity based on
assumptions: assuming their vendors' products are working correctly,
then assuming those products have been deployed and configured
correctly.

What's missing is the validation that the information surrounding an
organization's cyber defense is accurate, with no gaps or points of
misinformation. Agencies need to validate controls in a continuous
manner rather than viewing measurement of security as one snapshot at
a time.

This is what the Department of Homeland Security (DHS) promotes
through its Continuous Diagnostics and Mitigation (CDM) program. CDM
is aligned to give government agencies real-time visibility into their
security systems with continuous monitoring. Instead of penetration
tests or audits, which are static, continuous monitoring gives more
holistic visibility into systems over a longer period of time.
Agencies can then quantifiably validate whether their controls are
protecting critical assets. At the same time, security leaders and
teams can manage their cybersecurity programs with more meaningful
metrics to drive decision-making, optimize operations, and,
ultimately, improve their cyber posture over time.

Look "Inside Out"
Despite the progress being made through programs like CDM, continuous
monitoring still needs validation of the implementation of solutions
as well as surrounding data. That's why it's increasingly important
for private companies and government agencies to approach
cybersecurity with an "inside out" view by doing the following:

1. Identify exact points of vulnerability within the attack life
cycle. The first point of vulnerability is your organization's own
people. Security leaders should focus on helping their teams
understand an attacker's behavior in a particular segment they're
trying to defend. Then test defenses by testing incident response
process. Do personnel know who to call and how to quantify what
they're seeing in context? Do they forward a phishing email to the
correct party? By understanding how teams currently respond to threats
with practice scenarios, leaders can determine where to make defenses
stronger.

2. Measure ROI on cybersecurity investments. Government must be
extremely judicious about spending taxpayer dollars, while businesses
must ensure trust with their partners and clients. This is why it's
especially important to verify that your organization is attaining the
expected ROI out of cybersecurity investments — rather than assuming
so. Security leaders need data that shows exactly where the security
gaps are and where you need to invest more heavily.

3. Apply risk-based decision-making, not compliance-based. Traditional
models of measuring cybersecurity effectiveness tend to be siloed and
compliance based, where cybersecurity measures are managed across
separate enterprise channels and important data is underutilized. This
also tends to result in a "checklist" mentality, which can leave your
company vulnerable. Instead, cybersecurity must be aligned with your
organization's biggest risks and mission-critical business needs with
products that deliver holistic and actionable insights.

4. Determine which technologies can be improved and which can be
removed from the stack. For cybersecurity personnel, there are many
products they have to manage. But it's important to verify which
products in the environment are working and which are not. Solutions
for one organization may not be the right match for yours. Determine
what technology products can give you the most value and what fits
best with your current architecture so that you're not purchasing
redundant products that you already own. Having security controls
mapped in an automated fashion also makes it easier to tag and label
identified threats.

Know Thyself
When you tackle security from the outside in, you're simply trying to
deny intrusion. When you approach from the inside out, you are
protecting your mission-critical data by determining the most vital
applications and using a risk-based strategy, which focuses on the
most valuable and vulnerable assets. Tackling cybersecurity from the
inside out will not be easy. But as budgets continue to spike — even
as the data breaches keep happening — security leaders must tie
security to accountability. Whether government or private sector,
every organization at the end of the day is a business, and an
inside-out approach makes the most business sense.