Need to improve your company’s cybersecurity? A myriad of vendors and thought leaders are ready to sell their products or ideas to do just that. What you don’t usually hear is how some of these technologies or practices might not be as effective as you’re led to believe. Working in systems engineering, as well as having run red team and blue team assessments for some of the world’s largest companies, I’ve observed four common practices that contribute to sophisticated corporations being lulled into a false sense of cybersecurity.
1. Approach Cybersecurity as a Compliance Exercise
Regulators’ increased focus on cyber risks and controls have created many requirements for protecting networks and data. To show compliance, organizations must regularly update policies and procedures, and test controls for effectiveness. Once these requirements are met, many organizations feel they are well-protected against cyber threats. In fact, in a global poll of more than 1,000 security executives, 64 percent believe compliance to be a "very" or "extremely" effective strategy in staving off data breaches.
Unfortunately, checking a box to prove a certain tool, setting, or process is in place does not address the ever-growing cyber threat landscape. If cyber threats weren’t evolving at an unprecedented rate, then an audit type approach towards cybersecurity might suffice, but we know this is not the case.
In addition, it’s no stretch to believe that regulatory standards, which need to be applicable to a number of different industries, can be watered down or too generic. Unfortunately, in most cases, these broad, ‘acceptable’ standards do not ensure adequate protection against frequent, severe, and sophisticated cyber threats. The bottom line is that it’s dangerous for organizations to rely on compliance standards to protect themselves.
On a four-point cybersecurity maturity scale, 1.0 being “basic” and 4.0 being “predictive”, “compliant security” rates 2.0 indicating a reactive posture. Organizations with a 2.0 rating may have nominal cybersecurity capabilities or processes in the domain but deployment, application, and enforcement are inconsistent or incomplete; threat intelligence concepts are not a factor in the program.
Cyber adversaries are continuously evolving their operations and techniques. If your technology, people, and processes aren’t aligned to translate data into actionable intelligence, you’ll never outpace your adversaries. Consider using compliance standards as a baseline, and supplementing them with strong people, processes, and technology. This approach will help you strengthen and mature your security team.
2. Rely Too Heavily on Technology
It becomes a problem when an organization relies more on technology than on its people and processes. Vanilla detection tool installs will never be as effective as experienced analysts, and analysts cannot be fully effective without a strong process. The best foundation for defending an enterprise is one that equally leverages skilled people, tuned technology, and a proven analytical process. These are the key components to attaining a more mature cybersecurity posture—a Unified Enterprise Defense structure.
To move away from an over-reliance on alerting mechanisms, consider the following:
- It is the responsibility of the people and processes to tailor technology so it filters out false positive alerts. This allows analysts to focus on more advanced cyber threats.
- Analysts are more efficient and effective when they learn from past attacks and leverage that intelligence to thwart future attacks.
- It pays to invest in your people. Engaging work, annual training, work-life balance, and competitive salaries are key to ensuring the right people are working for you.
3. Focus on Ingress Traffic Inspection
All too often, enterprises focus on ingress traffic in an attempt to detect malicious activities. While it’s necessary to monitor incoming traffic, it’s equally necessary to monitor egress traffic (the Actions on Objectives phase of the Cyber Kill Chain®). Data exfiltration can be extremely difficult to detect as it’s almost always masquerading as legitimate traffic—commonly referred to as a covert channel.
In an effort to mitigate the consequences of malicious outbound traffic, consider implementing the following:
- Sufficient endpoint protection measures
- Effective Anti-Virus (AV) protection
- Personal firewalls
- Up-to-date security patching
- Application whitelisting where appropriate
- Baseline of typical ingress/egress data
- Establish threshold levels for known traffic
- Egress traffic inspection to detect covert and timing channels
4. Limit Cybersecurity Responsibility
Understanding that everyone across the enterprise, not just your technology teams, has a role to play in your enterprise's cybersecurity posture is crucial to defending it. While daily traffic analysis and monitoring should be performed by a dedicated, centralized team, ensuring secure computing practices should be an enterprise-wide responsibility.
For your entire workforce to help secure the enterprise, consider implementing the following:
- Formal guidelines on the types of information that should (and should not) be posted on social media and shared with unknown correspondents.
- Email phishing campaigns to test employee and technology readiness.
- Annual cyber training for all employees.
- Specialized training to ensure finance employees do not send wire payments to unauthorized accounts and HR employees do not disclose personal information to unauthorized personnel.
- Scrubbing job postings of sensitive information, such as technologies used, that attackers can use to craft their attacks on your environments. Specific technologies can be brought up during interviews.
Is your organization guilty of one or more of these practices? You’re not alone. The good news is we can help. Our cybersecurity consultants are ready to work with your team to improve your strategy, people, process, and technology, ensuring you’re ready to defend against any cyber threat that comes your way. Click here to request a meeting.