In my previous blog post titled “’You Want Me to Do What?’ A Guide to Interpreting Cybersecurity Recommendations”, we discussed various pitfalls related to interpreting and implementing cybersecurity recommendations. One of the key points at the end of that discussion was a need to address all recommendations as they relate to your overall security roadmap. If you asked yourself “what roadmap?”, then this blog post is for you.
In addition to providing you with the high level guidance you should be using to develop a security roadmap, we also want to highlight the disconnect between assumed reality and actual reality as it relates to the controls and defenses that can be derived from tools, engagements, and resources. It is this later objective that we’ll start with first….
Technology – “Not Intended for Shelf Usage”
One of the most common weaknesses we observe in organizations is the misuse of technology that has already been purchased. In many cases, an executive team may achieve a sense of security simply by knowing that a new and promising security tool has been purchased. There are a few things wrong with this.
First, the purchase of a tool in itself does not mean it has been implemented. Depending on the tool, it may take upwards of two years to fully implement the technology. Part of the delay is typically associated with customizing the tool to an organization’s unique environment. This means creating custom rules, defining the acceptable level of false positives, and even gaining buy-in from necessary departments within the organization. Additionally, some organizations encounter pushback and other cultural challenges during technology implementations that could slow down the process.
As though this weren’t enough, in large organizations, it’s even possible that tools purchased in the past still remain on the shelf without ever being implemented. These tools are placed on the roadmap, but funding for implementation may be delayed. Alternatively, a newer, better technology may be purchased that removes the desire for the previous tool. While the impact in terms of money lost is less for organizations with a large security budget, the gap in actual security that results could be even more crippling.
Resources – “People Doing All the Things”
If you’ve successfully identified the tools you need to secure your environment, the underlying question you should be asking yourself is whether you actually have the staff to support those tools. Vendors always have a way of making their tools look effortless to run and maintain. Often, however, these functions require constant attention from dedicated resources.
Consider for a moment whether your security team is fully utilizing the tools you already have. Even the best-in-class technologies can be easily bypassed if they’re not configured and maintained. Putting a firewall on your network is nothing more than a pass-through point unless the rule set and ACLs are defined. Similarly, IPS devices, DLP solutions, and any other tool in your repertoire require hand-holding. Beyond the initial setup, someone also needs to be looking at the resulting alerts and logs to determine where “badness” lives.
If your team is struggling to keep up with this management and review process, adding another tool to the toolbox is likely going to result in a reduced capability across the program. You can run ten tools in an inefficient manner or you can expertly run five tools at maximum capacity. We would argue that there’s more value in knowing you have the intended security from those five tools than from having a false sense of security inherent in running non-optimized tools.
Recommendations – “Just Add it to the Pile”
Now that you’ve realized the need for additional technology or resources, how do you choose between the various options recommended by your internal teams and vendors alike? Managing the ever-growing list of recommendations can be overwhelming. Knowing what to prioritize over something else is often left to the judgment of a few individuals left in charge of the security budget. Even worse, sometimes projects get prioritized in response to the latest threat. While this might be top of mind for you and others in the public eye, prioritization should really be based on the highest priority. Performing cost-benefit analysis can be helpful, but this is not always easy to perform when it comes to security.
Part of this issue goes back to your security plan – or lack thereof. Many organizations define a security plan for the future and identify associated budget required to fund those activities. So when something new pops up, you can’t just throw it into the schedule and there’s certainly not any free money laying around to get it done. How then do you make any progress on items that become your new top priority?
Remedying the Situation – Your Security Roadmap
CrowdStrike subscribes to a philosophy that places emphasis on a three-tiered approach to security. This philosophy is consistent within many security frameworks, including those taught in the SANS Institute Cyber Defense Curriculum. The basic strategy is simple and requires answers to the following questions:
- What is your most critical data and where is it stored?
- What are the biggest threats and risks to that data?
- Within your environment, what vulnerabilities would allow those risks to be realized?
Once you’ve outlined this basic approach, you can start to build a security plan that focuses on the right things. You’ll never have a fully secure environment as the threats and vulnerabilities are constantly changing, but by utilizing this philosophy, you’re protecting your crown jewels above all else.
This process is not something that you should do once and forget it, however. Again, we believe that SANS has it right with the following approach to Operational Security:
- Identify or redefine your most critical data and assets (Every 6 months)
- Identify and assess your risks and threats to the most critical data (Every 2-3 months)
- Review and validate vulnerabilities in your critical assets that these risks expose (Every month)
- Determine if the risks outweigh the costs of remediation (Every day)
- Identify and implement associated mitigations for the highest unacceptable risks (Every day)
Steps one and two are things that are unique to your organization. Take a look at your crown jewels – the things that, if they were exposed or compromised, would cause the most pain to your organization. Then determine what threats exist against these assets and data.
From step three on, it’s important to pull in additional data sources. Vulnerabilities are often observed in the wild (i.e. zero-days) or through assessments or scans of your environment (i.e. insecure configurations).
Step four is where mature organizations truly start to shine. It’s not enough to know the risks. It’s not enough to understand the costs. The value in a risk vs. benefit analysis comes from defining your return on security investment. It’s always going to be difficult to put a dollar value on security because it inherently does not create revenue. The potential prevented monetary loss is also difficult to estimate. So make sure you’re considering what your biggest risks are and balancing them against your critical assets and data. Just because there’s a big risk doesn’t mean it needs to jump to the front of your list. Alternatively, a small gap in the security around your PII or credit card database may require immediate attention.
Now that you’ve defined your priorities (and updated your security plan accordingly), you need to determine what the most appropriate steps are to remediate. This again goes back to the idea of risk and value. There are often many ways to remediate a risk, but not all responses carry the same cost or coverage. Consider the countermeasures that are the most realistic for your organization. Leverage the tools you have, the skill set of your resources, and the relationships you have with your vendors.
This fifth step also feeds into your decision making process. Your spend on tools should be aligned with the steps you need to take to protect your most critical assets, but also keep in mind that you want to be able to support those tools to the fullest extent. One of the toughest things for security teams to do is to turn down money for a new shiny tool, but in some instances, that is the right approach. If the supporting team is not there, you may be left with just that – a shiny box on the rack.
When all of these steps are followed, you will be well on your way to developing a more mature security program. You’ll also have a framework to continuously update your security plan to reprioritize recommendations, projects, and initiatives.
If you don’t have enough people to run tools and perform security tasks, don’t take extra money to buy more tools without first increasing your workforce. Eliminating this disconnect and ensuring that there is a realistic view of your organization’s maturity level is essential to protecting yourself in this adversarial environment. Our CrowdStrike Services team has helped organizations define their maturity level, develop security plans to better protect critical assets, and assist in the execution of these plans into the future. Reach out to us at Services@CrowdStrike.com if you’re interested in hearing how we can help.