We’ve all been there. As Chief Information Security Officer (CISO), your team, your management, and your board are all clamoring for your time. Not to mention the dozens of items calling you from your inbox and notification dashboards that all are demanding your immediate attention. The threat landscape is rapidly changing, with warnings being issued by government agencies about nation-state grade attacks coming out of a European war zone.
It can be incredibly overwhelming, and sometimes the only thing you can do to stay sane is turn off your monitor to clear your head for a few minutes, so you can get back to it with fresh eyes.
If you’re at that moment, here are ideas on organizing and knocking out your biggest threats. Because no matter how imposing they appear when they keep you up at night, you know you are your company’s best hope at keeping your organization and its assets secure.
Should You Update Cyber Defense Plan?
While this may seem incredibly obvious and at the core of the Chief Information Security Officer’s job description, we continuously speak to CISOs who are not satisfied with their cyber defense plans and strategies, finding them to be outdated before long. The variables of the plan are constantly changing, such as the organization’s threat landscape, its business needs, and risk tolerance, not to mention an increase in the number of cyber threats and in the sophistication of cyberattack tools.
CISOs are dealing with an influx of intelligence, piles of data coming from risk registers, risk assessments, simulations, etc., out of which they must craft their plans, strategies, and priorities. Having a cohesive defense plan with clear priorities is the best and most basic practice, and it will include the following best practices mentioned here.
As a preliminary step, it is important to have risk assessments performed to help prioritize security spending and make sure that the security apparatus supports the company’s business needs.
Look for Security by Design
Security by design (SBD) is a targeted approach to reducing cyber risk, introducing security and compliance concerns proactively (rather than waiting for cyber incidents to promote action) to prevent breaches from occurring. Outlining specific plans, tools and strategies allows security teams to allocate the appropriate budgets, human resources, and time to manage them on a company-wide basis.
SBD is particularly useful for companies while configuring security implementations and for developing software. Cloud technology helps to automate auditing processes and enforce security policies, freeing up security personnel to handle other, more critical tasks.
Most CISOs have multiple security assets in place, with significant overlap. A byproduct of that is an unending stream of false positives that demand immediate attention. As a bonus, many of the systems in place don’t integrate well with one another, leaving vulnerabilities that threat actors are looking to exploit.
Rethinking the approach to cybersecurity means creating a cohesive network of security tools that work and hold together. This unified new fence is essential to establishing control over every part of the company’s edge and must span the network to detect threats and enforce corporate policy. The different tools need to share threat intelligence across defenses, while also sharing data with SIEM, SOAR, and SOC tools.
This tightly integrated approach to security will provide broad visibility and control. Reducing the complexity of the security apparatus should cut back on the noise emanating from false positives and put the network in a better position to identify and mitigate existing and new cyber risks.
Add Defense in Depth – A Layered Approach
Defense in depth means that the company’s assets are protected by a robust and layered cybersecurity infrastructure.
The OSI model’s seven layers of defense are the: human layer, perimeter layer, network layer, endpoint layer, application layer, data layer, and mission-critical layer. Each layer includes a section of network communication, from someone moving their mouse to the data a system uses for software programs.
With this layered approach, multiple security controls are deployed to protect digital assets and company data, to ensure that the different areas of the defense plan all have backups to handle gaps that may exist within each component on its own. When implemented together, the security layers are designed to strengthen the company’s defenses.
This approach aligns with the NIST best practices (National Institute of Standards and Technology Cyber Security Framework) because the layers should help in identifying and protecting organizations from cyber threats, detect when cyber offenders have breached defenses, and position the organization for the best possible scenario if and when its defenses are breached.
This does not mean that a company should go out and purchase any new technology that comes out. In consideration of the previous two sections, a designed layered approach will provide measures to make attacks more difficult and hassle rich.
Least Privilege
Least Privilege is an administrative practice that grants users and applications the bare minimum access privileges required to perform their jobs. Users are restricted from accessing resources that are not directly associated with their role. Your software developer doesn’t require access to the entire customer database.
Typically, security professionals group users and applications based on their function in an organization, applying a general set of rules to all group members. If anyone requires permission outside of their regular functions, additional privileges are added individually and should be removed immediately when the projects are completed. Leaving unnecessary privileges results in “privilege escalation” which could occur as employees receive escalated privileges to work on certain projects. Unfortunately, this employee access could be leveraged by cyber offenders to penetrate sensitive areas of the organization’s network.
Companies working on building a security plan from scratch would be well advised to establish Least Privilege from day one. For organizations that are operational and do not have a good record of which privileges their users have, the first step is to conduct an audit to determine permissions and the second is to implement Least Privilege, separating user groups and user accounts. Audits should be held regularly to prevent potential risks of privilege escalation.
Zero Trust
Zero Trust is a security approach that says, “never trust, always verify.” It means that nobody gets to roam freely around the company network. Each user/application must be authenticated and authorized before gaining access to endpoints, data, and other resources. Authentication could be a username with a password combination, but this cannot be the only verification method. Multifactor authentication (MFA) is commonly used to authenticate users and applications are authenticated via servers.
To maintain security, teams should monitor company networks and track user activity, especially in areas containing sensitive data. By applying SIEM and SOAR, CISOs can leverage artificial intelligence and machine learning to recognize normal system activities versus anomalous behaviors. Anomalies should then create alerts for the security team to investigate.
Additionally, user activity should be analyzed to ensure that employees are operating within the permissions of their roles. Should anything appear out of the ordinary, it could potentially be a compromised account and an attempted breach.
If the organization already has matured architecture, applying Zero Trust should be a gradual process. The team should first identify and outline all resources residing on the network and which require the most protection, starting with the organization’s critical data. Using Zero Trust authentication should improve monitoring and logging systems to record network and user activity for analysis.
It is important to note that parallel to these action items, at HolistiCyber we practice ensuring that authentication and monitoring protocols do not interfere with business operations and productivity. This should never be “the last step” but rather a constant effort by security teams.
Secure Your Weakest Flank
Employees are highly susceptible to phishing attacks, which are increasing by the day in both their volume and sophistication. Deloitte reported that 91% of cyberattacks emanate from email, making this an important vulnerability to close. In the immediate aftermath of an employee giving away an account username and password, there is little that can be done if it’s not reported.
Microsoft 365 and Google Workplace both have security tools in place, but numerous phishing attempts reach their intended target. Once there, it can be difficult for employees to tell the difference between a spoofed site and a legit one.
Adding in Domain-based Message Authentication, Reporting, and Conformance (DMARC) into your security protocol will put better safeguards in place. It authenticates email by aligning SPF and DKIM mechanisms and keeps these dangerous emails out of the hands of employees.
Protect Against Remote Work Threats
Six months after the pandemic started, a Netwrix survey found that 85% of CISOs sacrificed cybersecurity to enable remote work. Many viewed remote and work-from-home (WFH) work as temporary, but two years later, it’s clear that WFH and remote work are here to stay.
CISOs need to prioritize WFH and find remote work solutions that aren’t perceived as a hindrance by employees. For example, CISOs should require employees to use work-issued computers to log into the network. These computers can be configured with security best practices built-in, such as requiring password changes every 90 days, MFA and SSO to access corporate applications, and only allowing employees to save files on the company’s cloud storage account. Combining these techniques with security training and the above-mentioned practices will help increase the overall security of the network.
Get Help
Help includes both human professionals and technology. Unfortunately, there is an ongoing shortage of experienced cybersecurity professionals on the market. CISOs are having to train their new hires but it is advisable to outsource professional services for particular areas of expertise where those are needed.
As far as technology is concerned, it is important to focus on threat prioritization and cross-product integrations to optimize the use of limited staff and take advantage of automation and orchestration solutions.
Apply Nation-State Grade Expertise to Your Defense Stack
Over the last decade, sophisticated nation-state grade cyber attack tools have become easily downloadable on the darknet for inexpensive prices, including NSA and CIA hacking tools. With such simple availability, many cyber offenders can pull off clever breaches to any type of organization, turning any enterprise into a potential target for a nation-state grade cyber attack.
With the influx of such attacks, CISOs should develop defense plans that can protect their company assets and prevent catastrophic consequences. This will mean applying a combination of strategies and analyzing risks based on attackers’ potential motivations and tactics.
Setting Your Company Up for Success
Security teams must work alongside the business’ goals, workflows, and risk tolerance. This requires CISOs to look at their security stack from a holistic point of view, to be sure that all the larger company goals are being met both efficiently and securely.
With WFH and increased attack sophistication here to stay, CISOs need to develop security plans that account for all these factors. Developing a strong defense plan with clear priorities and communicating effectively with business teams can go a long way toward aligning business needs with security requirements.
Now is the time for organizations to evaluate their security posture, make the necessary improvements, and better prepare for any potential attacks. The topics discussed here can serve as a roadmap to creating new cybersecurity plans or as a basis to gradually mature existing security programs.
Most importantly, keeping the organization’s strategy updated will significantly improve its security posture in the long run.
Getting Back to Work with Fresh Eyes
Have you taken a deep breath? We know that there is a lot of work to be done, but we know that once you set your defense plan up and continuously update it, your organization will be able to handle today’s cyber threats in a more efficient and effective way.