Answering burning questions from victims of cyber events
Happy New Year! Our organization made it through the holiday season without a security event. While we were probably one of the few, we’d like to build up our defenses and carry through the confidence with our security program throughout this new year. A portion of our IT budget is devoted to enhancing security. What actions should we take to maximize our budgeted dollars?
-Billy the Budgeteer
DEAR BILLY THE BUDGETEER:
Congratulations on surviving the holidays without a security event! It’s great to hear that security is top of mind for your organization and that you want to keep your security program trending in the right direction.
Not knowing the specifics of your cybersecurity program or environment, I’ll provide some general approaches to enhance your program, which ultimately, you’ll need to measure against a risk management framework to understand what items you have — and perhaps more importantly, may be missing.
The benefits of a security assessment
Security assessments can provide valuable insight into the overall effectiveness of your security program. For new security programs, they can help organizations understand the important program elements that ought to be considered. For established programs, assessments can help in identifying gaps in various aspects of a program.
It’s important to remember that assessments only provide a framework for evaluating a security program. Those performing the assessment should apply their specific knowledge of your environment and their experience working cyber investigations. Simply ticking the box on assessment questions is not enough to protect against today’s increasingly sophisticated cyberthreats.
For example, most cybersecurity frameworks require backups. Many, however, don’t go into depth on how to best configure a backup environment. While answering “yes” to “Does your organization maintain backup?” may meet a requirement, the question doesn’t uncover if the backups are stored on the same network segment or if production credentials can administer those backups. In ransomware attacks, threat actors intentionally look to disrupt backups, either by deleting them or reformatting the storage area. So, by layering in known attacker behaviors and actions into their assessments, assessors can not only educate program sponsors, but also provide support for recommended enhancements.
Further steps to maximize your cybersecurity budget
If you’ve already performed a cybersecurity assessment and have implemented the remediation recommendations, I suggest considering the following cybersecurity enhancements to maximize your budgeted security dollars.
- Implement an endpoint protection platform (EPP). When employees use the internet to surf websites and access personal email, they can expose organizations to a lot of risk. It’s a good idea to move beyond traditional antivirus solutions and towards next-generation, artificial intelligence-powered endpoint protection (EPP) for employee devices. You can buy EPP technology on a stand-alone basis or can buy it on a managed basis and get a 24/7 security operation center that will immediately respond to alerts.
- Add threat intelligence to support your business operations. Threat intelligence will enable any business to verify that its operations are aligned to its security procedures. Threat intelligence will also ensure your security awareness program is covering those threats that are relevant to the business while proactively detecting any precursor actions that may put your organization in the crosshairs of an attacker.
- Test disaster recovery, business continuity, and incident response procedures through tabletop exercises. The exercises are designed to simulate an event or specific situation and measure key personnel’s procedural knowledge against the organization’s policies and procedures around disaster recovery, business continuity, and incident response. How ready will you be when the inevitable attack occurs? The time to test is not in the middle of an incident, but well before.
- Conduct purple teaming with autonomous pen-testing. Purple teaming is a hybrid approach to a penetration test, where your red team (penetration testers) and blue team (SOC analysts and incident responders) work together to hack into your organization’s network and validate that your security tools are configured correctly to detect, alert, and mitigate the activity. Generally conducted as a live exercise, purple teaming combines hands-on activities while measuring the efforts and effects against your policies and procedures (tabletop exercises). Autonomous pen-testing greatly reduces the manpower needed, which can significantly increase the number of attack paths identified, reduce time commitments by personnel, and strengthen the consistency of pen-tests.
For additional tips, please read Dear Ramey: Tips to Improve the Security of Data Sharing and Six Decrees of Kevin Bakers: Tips to Improve Cybersecurity Today.
Arete IR Director Stephen Ramey is here to answer burning questions from victims of cyber events. If you have a question, please don’t hesitate to reach out at DearRamey@areteir.com. Arete wants to help by sharing our insight and experience.