Cybersecurity's Juggling Act

Organizations are challenged with juggling what seems to be a three-ring circus of issues related to either implementing or managing an existing cyber threat intelligence program. I say three ring circus because, by definition, a three-ring circus has three separate areas where performances occur at the same time. I will go on record to state that I’m not a fan of three-ring circuses, but the analogy conveys just how busy and confusing cybersecurity programs can be. There’s so much going on that it always feels like you’re missing something.

This is true of board members who don’t understand cybersecurity reports all the way down to analysts who are inundated with daily alerts and struggle to separate false positives, prioritize the remaining “high priority incidents,” and set in motion the remediation process.

Cybersecurity often feels that way because there are multiple teams involved, sometimes working in isolation. Workflow processes are designed to provide both inputs to other teams and receive outputs from other teams. This can result in processes that are cumbersome, rarely simple and foolproof, and with proficiency tracked by questionable metrics (that may ultimately decide the budget).

If any of the above sounds like your security program, don’t worry. There are a few simple questions organizations can ask themselves to make sure that everything juggled is eventually caught.

1) Does my organization have a clear understanding of the potential attack surface?

A lot of organizations struggle to maintain accurate asset management systems, which are fundamental to understanding mission critical assets. Any exposure to lines of business supported by these assets or those assets themselves will introduce risk to the overall organization. Next you can ask yourself: If my team is responsible for the cyber security initiative and I need this information, who do I go to to get it? Is it complete? If not, does it at least have the mission critical information to get started?

2) Does my organization have the necessary policies in place and invest in user awareness programs?

Verizon’s 2016 Data Breach Investigations Report states that 70% of breaches are caused by employees within the business, stemming from insider threats, phishing, poor configuration, and more. Policies and user awareness programs can help to prevent some of these issues, particularly ransomware and phishing attempts. Organizations can enhance these programs with up-to-date, organization relevant, and threat-specific trainings on various potential attacks. It’s also important to note that policies and trainings should be applied to everyone. These policies are only useful though if the staff know they exist and the organization can audit user acceptance and monitor compliance. Successful cyber defense requires all users to be diligent about the constant threats designed to exploit human nature.

3) Does my organization utilize Identity and Access Management?

Identity and Access Management is used not only to manage users and their accounts but also to leverage user behavior analytics add-ons or platforms to alert on non-standard or out of policy behavior. The first thing that comes to mind when discussing User & Entity Behavior Analytics (UEBA) is typically a disgruntled end user looking for sensitive information on management, but this information can contain clues of non-standard network behavior, ultimately leading to detection of end user accounts that have been compromised.

4) Does my organization employ tight change management policy?

Change management is necessary but should not disrupt business. The same is true of compliance. IT needs to make changes with full transparency as to the implications to the business and govern the processes in a way that minimizes impact. This means establishing controls and appropriate processes to will support these controls. Controls should include monitoring of change windows, systems affected and expected results so that these identifiers can be audited within other systems in place. These changes must also quickly be labelled as expected behavior for this date and time. Checks and balances produce expected audit trails and support identification of outlier activity and the introduction of risk.

5) (This is a big one) Does my organization have an incident monitoring and response plan?

The foundation of any organization is a layered approach of technical controls to protect against intrusion, but it’s not complete without an established response plan. Part of a response plan includes identifying all other teams, system owners/caretakers, data owners, etc, which help to streamline processes that must be quick to be effective. More mature organizations can even go to the extent of employing Governance Risk & Compliance systems. Such systems can often provide inputs to security teams that help them to prioritize incidents but more so to consolidate a lot of the information discussed above. That consolidation in turn can provide a risk score to assets, expediting the escalation of incidents involving mission critical assets. It also provides management with insight to risk and requires sign off of a tolerable risk level within the organization.

That’s a lot to take in at once, isn’t it? It may be slightly painful to scrutinize each and every aspect of your organization’s cybersecurity program, but asking some simple questions like these can help to orient teams towards more meaningful actions. If you can’t answer a question completely yourself, it’s likely others on your team won’t be able to as well. You may not be able to mesh everything into one seamless show in a day, but you can maybe prevent the three ring circus from running away into a full on parade.