With overall responsibility for enterprise security, the CISO has a lot on their plate to meet the challenge of creating an effective and intelligent cyber security strategy.
One of the first things they will do when they start with a new organisation is to check whether “the basics” are in place. These are the SANS Top 20 foundational controls that serve two fundamental purposes.
Inherent defence against commodity threats and easier cyber security analytics
These basics ensure the level of hygiene is fit for keeping commodity threats at bay, as well as much of the noise that security operations teams have to deal with when establishing root cause of an incident. Good hygiene will also ensure that clean data is ingested when creating a data lake.
Common issues that make the cyber security picture unclear and incomplete
Outdated and inappropriate asset inventories
It is difficult to carry out an effective cyber security risk assessment without the SANS Top 20 controls being in place. CISOs will often discover murky waters and gaps in their visibility when they try to assess the state of hygiene across their estate.
Asset inventories have often been put together to serve IT operations rather than cyber security risk assessment, and they are sometimes out of date with information missing. Without that one “golden source” as a reference to the devices and applications within the organisation, it is impossible to fully grasp or control risk.
Prevention is better than cure. The SANS 20 basics are there to make it easy to assess cyber security health and subsequently, create an appropriate cyber security strategy.
Incomplete knowledge of the scope and effectiveness of installed malware protection
If the CISO does know what anti-virus solution has been purchased, they may not be fully aware of the software’s coverage or how well it performs, such as scanning or updating in-line with expectations, or how consistent its performance is for different assets.
Access management – who has access to what information and is it justified?
A CISO should be able to establish who has what access within the different Active Directory groups. However, finding out who actually needs the access they have, why they have it and how often they use it, or when and why they last accessed it, is a different task entirely. An enormous task.
Keeping up-to-date records that deliver this kind of information at a glance should be an essential part of any organisation’s cyber security strategy. Enterprise security is only as effective as the procedures and structures in place to make it work.
Effectively prioritising updates and patch management
Vulnerability and patch management is an ongoing and continuous process. It’s important to ensure that the right issues are being prioritised to mitigate the risks that matter most, and that time isn’t being wasted on patching certain vulnerabilities when more appropriate action could be taken – such as removing software or decommissioning servers.
Effective cyber security strategy means paying the most attention to the most serious risk.
Security is often dependant on people who are already overworked. A busy IT operations team who already have a mountain of work to do rolling out software, testing and applying patches or administering access, may see security hygiene as just another addition to their very long task list.
Of course, the thing about hygiene is that it is easy to be complacent and you don’t necessarily see the problem until something goes wrong and an incident takes place. Then you discover that the root cause was a risk that standard good hygiene would have taken care of.
CxOs need insights into tangible risks and consequences
Just being aware that there are significant problems across the CIO’s estate, without being able to explain what the potential impact could be, why the CxO they are reporting to should worry, or even the best way to address the problem, is not enough.
Without up-to-date asset management, how can security measure risk to critical assets due to vulnerability and control gaps?
Without the details that are easier to get a handle on because of good hygiene, it is difficult to paint a proper picture or effectively communicate the material risk to CxOs.
Good hygiene sets the foundation for the application of effective advanced analytics
In an article published in Infosecurity Magazine, Panaseer’s CEO Nik Whitfield explains more about good hygiene and big data analytics.
The bottom line is that however wonderful our turbo-power machine-learning predictive analytics are, we should never take our eyes off the importance and implementation of the basics of good hygiene. It is these fundamentals that help guide our overall cyber security strategy.