A Holistic and Risk-based Approach to Cybersecurity
Approaches to Cybersecurity:
One must be cautious in approaching today’s security; hackers-for-hire groups exist and operate globally around the clock. A dark web exists beneath “the surface Web”, an environment which allows malicious hackers to plan and operate. They’ve malware and other malicious tools at their disposal which are offered as a SaaS (Software-as-a-Service).
A number of recent high-profile data breaches prove that even the most secure organizations which have applied layered security approach and protected their perimeter well were not immune to data breaches. This brings us to the following question: “Is this architecture still efficient to protect valuable data?”
Defense-in-depth is a very good security practice. Unfortunately, this approach alone will not produce a secure network. We must leave this mentality in the past, and adapt a holistic and risk-based approach in order to build a proper cybersecurity strategy. Traditional threats when unsuccessful would simply move on to a less secure system. Today’s hackers are more persistent and shall keep prodding until they find a way to exploit a vulnerability.
Historically, organizations spent most of their time, money and resources protecting the perimeter in order to protect against security breaches. At the same time, they would not be able to tell you where their perimeter ends as it extends far beyond a manageable point. The reasons for this include the cloud services, BOYD, Internet of Things (IoT), outsourcing, API’s, integration with third party applications, remote employees, etc. This new trend shifts the focus from perimeter security to a holistic and risk-based approach. If we add the threat of insiders to this equation, who by the way are responsible for up to almost 50% of all data losses, we realize that it’s no longer as simple as building higher walls along the defensive “castle.”
What is this holistic and risk-based approach to cybersecurity? It is an approach that integrates with critical business functions across the entire organization in order to identify, prioritize and manage the risk. This approach is instrumental towards the creation of a strategy that continuously adapts to new methods and techniques that may be deployed by the threat actors. A holistic and risk-based approach incorporates the following factors:
- Human - The human factor is typically the weakest link in the cybersecurity chain. You can have all the security tools in place, but what happens if an employee opens a phishing email with a malicious payload which bypasses all your security layers and controls? Tools only enable the security capabilities; tools alone do not make an organization secure. Organizations must build a proper security awareness and training program that changes the users’ behavior.
- Documentation - In several high-profile data breaches, organizations had cybersecurity program in place, but failed to follow the established processes. For example, does your organization have a process in place on how to respond to a zero-day vulnerability that gets announced? How about a cryptography standard that does not approve usage of obsolete and insecure protocols such as SSLv2 and SSLv3? Does your organization have an Information Security policy in place? Does your organization enforce these policies?
- Business Processes – Organizations must identify critical business processes that are the most important for the company success. Once these processes are identified, risks can, therefore, be discovered and evaluated.
- Data – Where does your data reside? Is it properly classified? What access controls do you have surrounding your data? Is it necessary to store it? Do you store any PII? Those us are just some of the questions to ask yourself when dealing with your data. I often hear the following statement: “We don’t have data that would be valuable to anyone.” This is not only a false statement; it is a dangerous one. There is someone out there who will find your data very valuable. After all, an organization might be compromised in order for their servers to be used for the bitcoin mining.
- Technology - Even the best and most expensive technological solutions can be very ineffective by improper maintenance. For example, implementing an expensive SIEM and IDS solution without tuning it is a very ineffective way to detect intrusions. I have seen organizations where they would deal with 10,000+ IDS alerts a day due to the improper tuning of their solution. They believed all were false positives. Additionally, organizations should think more about user behavior analytics capabilities versus adding a third layer of firewalls. Hackers love privilege accounts.
- Physical – Organizations should not look at cybersecurity and physical security as two separate things. Physical security must be incorporated in overall cybersecurity plan. A proper security strategy must include both physical and logical protection.
A holistic and risk-based approach to cybersecurity ultimately ensures that your entire organization is capable of detection, prevention, and correction of cybersecurity threats and vulnerabilities. Additionally, it continuously evaluates the capability of current security controls that are in place. This approach ensures that organization truly understands its data (how this data is created, stored, and transmitted across the entire organization). Once you understand your critical assets (anything of value to your organization – hardware, software, data, people, documentation) and your critical business processes, then it is the right time to properly protect these assets based upon the true value, risk, and exposure to particular threats. This philosophy will also help you reduce the risk surface versus adding additional security tools and capabilities to the stack. Your organization might have a legacy system in place that while powered off, the database still has customer data on it. Why not destroy this data and completely decommission this server? This automatically reduces the attack surface. Even a powered off system poses a risk. This affects not only from the physical perspective, but the system could be remotely powered on if it has out-of-band management capabilities enabled.
So, are there security frameworks that will guide you to establish a holistic and risk-based information security program? Yes. The NIST released a Cybersecurity Framework in 2014 that takes a holistic and risk-based approach to cybersecurity. The Cybersecurity Framework is organized into five functions:
- Identify – Identify your assets and understand how to manage cybersecurity risk.
- Protect – Implement appropriate controls and safeguards.
- Detect – Develop capabilities to detect security events and incidents.
- Respond – Develop a plan on how to respond to security events and incidents.
- Recover – Develop a plan to restore any services that were impacted by cybersecurity incident.
Cybersecurity program that follows holistic and risk-based approach ensures the following:
· Cybersecurity governance
· Executive/leadership support
· Defined roles and responsibilities
· Least privilege
· Creation of processes, policies, and standards
· Inventory of all your assets
· Risk identification and remediation
· Proper identification and protection of your ‘crown jewels’
· Alignment between the business processes and security
· Employees that do not fear to say “no” when suspect social engineering
· Quick response to security events and incidents
· Quick containment of an incident and recovery
· Continuous adaptation to the threat landscape
· Security baseline for the entire environment
· Risk appetite/tolerance
The bottom line is that we must have a home-court advantage over the guys that are trying to break into our systems. We cannot allow them to have a better understanding of our own environment. They can afford the luxury to make as many mistakes as they want; one mistake on our end could lead to a data compromise. In this digital era, we must apply a “Breach will eventually happen” principle, and focus on a holistic cybersecurity approach in order to detect and contain a possible breach as soon as possible.
And remember, if a particular asset is business critical, it will require more security controls surrounding it, as opposed to an asset that is not business critical. Risks are lurking from the most unexpected corners – apply a holistic and risk-based approach to discover them. Cybersecurity evolves daily – do not assume that controls that were protecting you yesterday, will protect you today or tomorrow.