Cybersecurity professionals need to be fairly agile to maintain the juggling act between preventing a breach, staying compliant and keeping cost manageable. Many organizations are challenged to focus on security or raise the maturity level of the existing security program as the frequency of attacks increase.
Disruptive factors such as a shift to cloud, mobile, and social media increase the complexity of the environment. Security programs must adapt because this is Business Transformation and leadership views these technologies as imperative. It is important to remember that even as the level of complexity of the environment increases, we still need to focus on the basics.
Know your Network!
The “Know Your Network” mantra has probably been around since the adoption of Ethernet, maybe longer. But the premise still holds true; regardless of whether your data is in your server room, in a remote site or in the cloud, we still need to understand what the data is, what the sensitivity level is, who has access to it and how it flows. The Mandiant 2016 M-Trends report tells us that the average time to detect a breach is 146 days, which is down from 205 days in 2015.
Could we shorten the detection cycle even further simply by understanding where our data is stored, how it flows and looking for antinomies? Most compliance frameworks and a tenant of security best practice state that we should be conducting continuous risk management through periodic assessments, especially when the environment changes. Have you examined your changing risk posture lately?
Effective risk management can also help determine the best use of resources, such as staffing, money, and professional services. And remember it’s important to report these findings in the form of metrics or score cards to leadership.
Shameless Plug: Look for an upcoming blog post about creating effective security metrics!
Integrate Security Awareness into Your Culture
While security awareness may not seem like a security basic, it is an easy win for a security program. It is important to instill a sense of ownership in data security for an organization.
The majority of successful attacks against companies and organizations leverage some type of social engineering such as phishing. Because of this, the return on investment of a good security awareness program is high, and in some cases considerably higher than other security controls. Security awareness is also a requirement of most compliance frameworks.
To improve the effectiveness and ROI of any security awareness program, focus on helping employees retain and use the information. Training should be consistently reinforced with emails, posters, screensavers, and even fortune cookies! If you make it fun, chances are they’ll remember it.
Integrated Data Protection
There is an old adage about security, that it should be layered like an onion. While the onion model of cybersecurity has evolved quite a bit, the premise still holds true. Perimeter security controls such as firewalls and intrusion detection devices are the first and tend to be strongest layer.
However, clever hackers understand that trying to hack a firewall is generally unproductive, and that it’s much easier to hack the humans on the inside of the network through social engineering techniques like phishing. This is why it’s important to add security controls to the inside such as network segmentation and endpoint protection. Some of the most popular tools for this include Cisco AMP for endpoint security, and Cisco Stealthwatch, which actually digests and analyzes flow data for a comprehensive view of the network.
Where possible, consider utilizing tools that can communicate with each other. For example, if malware is detected on an endpoint, the malware signature and characteristics can be shared with the firewall (Cisco ASA with Firepower), the email gateway (ESA), and the web filter (WSA) to dynamically strengthen multiple layers of defense.
To learn more about risk assessments, employee awareness training or modern security architecture and tools, be sure to reach out to our Security Team. We’ll be happy to talk with you more about Pragmatic Security.
About the Author:
Jason Smith is an IT Security and Compliance Consultant at Internetwork Engineering. Jason has several years of experience in IT, IT Security, and Compliance. He has worked in retail, government contracting, telecom, state and local government, and banking to ensure secure and compliant environments. Jason is a graduate of Western Carolina University (BS – Criminal Justice) and East Carolina University (MS – Technology Systems-Information Security). Click here to connect with Jason on LinkedIn.