Javvad Malik, Security Awareness Advocate at KnowBe4, outlines 7 excellent steps on how we can optimise security today.
verb (used with object), optimised, optimising.
1.to make as effective, perfect, or useful as possible.
2.to make the best of.
Breaches continue, attacks are on the rise, and people responsible for security wake up in a cold sweat a few times a year worried they are the next victims.
The industry probably won’t be able to agree what “fixing” security actually means, but that doesn’t mean we can’t take steps to optimise security.
Often times, in the aftermath of a breach, we find that it’s not the lack of tools or information that contributed to the event, but rather the available resources were not deployed appropriately.
While there is no one–size–fits–all approach, here are seven tips you can use to optimise security today.
1) Start with why
Unless you’re running a security business, chances are security is just a function to support the business. As such, it is crucial to understand what the business is, what actually makes the money, and, therefore, what needs to be protected.
Professionals understand what security is, how security is done, but do they really understand why?
A CIO at a drinks company was once asked what his job was, his response was, “My job is to help the company sell more beer.”
Think about what your security function is doing and whether it’s helping your company sell more beer.
To understand the concept better, it’s useful to watch this TED talk by Simon Sinek.
If we know why – then the how and the what become clearer.
2) Focus on the root cause
Among all the different technologies and methods to solve different threats, it can be easy to overlook the simple fact of looking at the root cause. That means to look at the initial penetration bad actors use to get into the organisation.
For example, phishing is a root cause – it can lead to ransomware, other malware, CEO fraud, third party fraud, among others. By focusing on this as a root cause, many potential threats can be addressed.
Complexity is the enemy here, and a silent contributor to many breaches owing to the fact that it hides the root cause and obscures which controls should be put in place. Simplifying systems is not an easy task – and neither is it one that the security team can do in isolation from the organisation.
But simplifying the security estate is a good starting point. Simply having more tools isn’t the answer, and more data is useless without the ability to make sense of it.
3) Manage alerts
As attacks increase, from both external and internal sources, it is inevitable that things will slip past preventative controls – therefore, threat detection controls need to be put in place. But even in medium-sized enterprises, the number of alerts being generated across multiple systems can quickly become overwhelming.
While it can be tempting to invest a lot into correlating all the logs and wading through the alerts, the alternative is to understand the organisational systems and only turn on alerts for critical activities and systems.
This ties back into understanding root causes and simplifying the overall architecture. Having fewer, but more focused and better-quality alerts can allow organisations to spend more time focusing on the things that really matter.
Honeytokens can help to reduce noise in the environment. When implemented correctly, alerts generated by honeytokens are of high quality and can pinpoint malicious activity.
Good system architecture can also help in managing and reducing alerts. For example, designing simple communication flows between components can help identify where traffic is behaving in a non-standard way – such as lateral movement by hackers within your system.
4) Leverage the community
Having limited resources, doesn’t necessarily mean resigning yourself to making do. There is a plethora of resources available that can help you maximise the benefit.
For example, not having a training budget doesn’t mean your staff can’t get trained. YouTube videos and blogs exist that can be accessed for free (or nearly free) on a variety of topics. Alternatively, attending conferences and events can help increase your teams’ knowledge.
Many publicly available standards and best practice documents also exist – saving you the time and effort needed to create them yourself.
Finally, a wide array of open source tools are available that can be tailored to meet your organisation’s specific needs.
5) Start marketing
User education and gaining stakeholder support are common challenges that many security departments face. One of the reasons for this is that security departments often try to either sell security, or scare people into compliance.
However, marketing is another way. By marketing security, the intended message can be delivered to the intended audience in a far more impactful way that creates behavioural change over time. Changing behaviours is the key to improving the efficiency of security within an organisation. The better buy-in users and stakeholders have, the less likely they will oppose security initiatives, fall victim to scams, or undertake behaviour that undermines security.
Check out some of the wide range of resources available at KnowBe4.
6) Reduce the impact
When it comes to security, optimising the day–to–day operations is only part of the battle. The real challenge occurs when there is an incident.
Seatbelts, airbags and crumple zones in vehicles don’t stop an accident, but can reduce the impact and increase the chances of passenger survival.
Similarly, security teams can put in place controls and measures to reduce the impact of a breach. For example, architecting systems in a segmented manner can minimize the amount of data a would-be attacker can get hold of.
Anonymizing sensitive data where it is not critical, such as for reporting purposes or marketing materials.
Equally, critical components should be designed with tolerance in place, so that it can be rebuilt frequently. For example, a web server can have access to considerable data over a long period of time.
Up–front planning can help make it easier to recover, following a compromise. Laying out a communication plan with employees, partners, shareholders, and customers prior to an event can help minimise mistakes being made in the heat of an incident.
Once all security systems, technologies, and processes have been put in place – it is vital they are tested in order to gain assurance that they are working as designed. Penetration testing, or red-team exercises are common practice amongst large enterprises.
In addition to these though, smaller tests can be undertaken, often in–house, to check the effectiveness of controls. Copying large amounts of data onto removable media, connecting from non-corporate devices, or incorrectly guessing login details can be easy ways to test if security is operating as intended.