Establishing and maintaining effective IT security controls continues to be a riddle that many organizations are challenged to solve. Let’s face it, protecting company data is almost impossible given the ubiquity of technology services (anytime, anywhere access), complexity of technology stacks, evolving technology within the stack (e.g., Software Defined Networks), and variety of players in the IT supply chain (public cloud, private cloud, etc.).
Adding to this problem is the crutch that organizations rely on to achieve security. I’m referring to certifications such as ISO 27001 and PCI. Certifications help to ensure the minimum practices are in place to protect data within the organization. However, they don’t give an assurance the organization has the “right” level of security implemented throughout the organization. How many ISO 27001 or PCI (pick your certification) certified organizations have experienced a breach? Many of them.
Certifications are helpful to achieving a certain level of security but it doesn’t mean you are secure – certifications and security are a false equivalent. I’m not advocating the abolishment of certifications, not at all. I am advocating that certifications should be used in the right way – a starting point rather than end point in security.
How do you solve the security riddle? The first step in the process is to understand there is no silver bullet. Protecting company data is extremely challenging and requires a lot of hard work to stay ahead of threats.
The prerequisite for effective security services is the right culture. The desired culture is one that understands business risk tolerance, business processes, user community, and technology environment before applying the right controls to protect data throughout its life cycle. Effective security requires a focus in five key areas:
Inventory & Baseline
Effective security requires an understanding of the data processed and stored within the environment. The key is understanding where sensitive data resides, how it’s used, and the technology environment that transmits, processes, and stores it. Additionally, a baseline of normal behavior should be established. This can be really difficult to accomplish because the environment is continually changing. Suppliers (i.e., Crowdstrike) are delivering solutions that incorporate machine learning to detect abnormal behavior that may be an IOA (Indicator of Attack) or IOC (Indicator of Compromise). Over time, detecting abnormal behavior will become easier.
Governance
Business risk tolerance and scope of sensitive data sets the stage for governance. This information is used to establish the right policies, standards, principles, and guidelines needed to provide the right controls (technology and process) needed to protect data. Additionally, metrics must be defined to measure the effective of security controls and adjust as needed.
Governance also includes effective third party management to ensure partners are handling data in accordance with company policies. This is an important issue in today’s highly outsourced IT environment.
Protection
Protection focuses on the security controls needed to maintain the confidentiality and integrity of data. The security policies, standards, and principles guide the design of security controls needed to protect the technology stack from threats. Maintaining effective security controls is extremely challenging because the technology landscape and business it serves is dynamic.
Monitoring/Detection
Continuous monitoring of system activity throughout the technology stack is needed to detect attacks and compromise of systems. The key to effective monitoring and detection is thoughtful implementation and management of Security Information and Event Management (SIEM) that leverages intelligence feeds and environment data to correlate data and enrich events. Security incident management processes must be optimized and well-documented.
Threat hunting must complement automated tools to provide more comprehensive threat management. Experienced security personnel are needed to investigate activity to determine if it’s malicious or benign.
Response
Establishing processes needed to efficiently respond to security incidents is critical. Organizations must implement security incident response processes that ensure timely containment, communication, and remediation of attacks or breaches. Additionally, forensic processes and procedures are needed to perform detailed investigations and determine attribution.
Granted, there’s a lot of detail that must be tackled in each of the areas highlighted above. The key is understanding the areas that must be addressed to ensure security is executed in a thoughtful, holistic manner. The solution to the riddle will be the establishment of a clear security strategy that promotes the right approach to data protection. Ultimately, the final outcome is a reduction in breach occurrences, and timely detection and remediation should a breach occur.
