Many European organizations struggle to start the cyber security journey. Most of the organizations know of all the cyber security incidents happening now and most management boards also have the cyber security as a top priority on their agenda. But where and how should they start on the cyber security journey?
I would like to provide an answer to this question. Of course, there are more answers to this simple question but in general, I think that the customer should focus on these four specific areas:
Cyber security control frameworks
Managed Detection & Response
Cyber security controls frameworks
I know that the term “best practice” has been abused a lot during the last couple of years but when it comes to cyber security why not learn from others that have implemented cyber security controls? And controls are not just technology that is most often the combination of people, process, and technology.
I am not talking about compliance. You don’t have to get certified to a specific standard but why not take the best from the current standards and apply that to your own cyber security regime?
There are a lot of different cyber security standards and frameworks and the most well-known is the ISO27000 series, The NIST Cyber Security Framework (NIST CSF), and the Center for Internet Security Controls (CIS20). The ISO 27000 series is a well-known standard but not freely available, so you must pay to get access to the list of controls. The two latter are freely available on the internet so you can just go and download them.
I like the NIST CSF because it provides us with a comprehensive description of 5 phases: Identity, Protect, Detect, Respond and Recover. It gives a clear understanding of the whole cycle of controls.
But it is hard to get started with and you can struggle to identify which controls to start with.
Here comes CIS20 to the rescue. The CIS20 provides 20 cyber security controls in a prioritized order. The first 6 controls are the basic controls (basic cyber hygiene) providing 80% of all the coverage you need – or 80-85% risk reduction. Not saying that the rest of the 14 controls are not required, but you will come a long way just implementing the first 6 controls.
So, my recommendation will be to start out with a cyber security assessment. What kind of controls and protection do you have today and where do you want to go in the future? (gap analysis). You can do this very advanced or keep it simple (stupid) KISS without spending too many resources. I think the important part is to identify what controls you are lacking according to best practice in 2021. You might be surprised.
The perimeter is dead. The firewall can protect us, but it rarely provides 100% protection. We have users working from home, from cafés and airports and they are total mobile. So, the idea of having central security controls in place at the HQ is also dead.
We need to have security way closer to the actual assets and stop trusting network location as the only parameter for providing access to the resources. We should start requiring authorization and authentication for every access request, regardless of where the request is coming from. We should ensure that only the right users and the right devices have access. And we should extend our approach, so it also supports a modern enterprise with BYOD, cloud apps and hybrid environments.
We believe that this entails three different focus areas:
Workforce – only the right users and secure devices can access applications
Workloads – secure all connections within apps, across multi-cloud
Workplace – secure all users and device connections across your network.
It is far from an easy task, but you can start the journey towards zero trust by focusing on these three areas when designing your new IT environment.
And even when having secured the user, the device, the connection, etc. we continue to do a full inspection on packet level to detect malicious payloads in legitimate and secured traffic. That is the essence of Zero Trust – Never trust anything.
I know of the Solarwinds hack and the late Exchange hack (Hafnium) but most often we as defenders have a focus on the technical infrastructure where the attackers have a focus on the people in the organization. They go after the VIP people in the organization because they most often also have the broadest access to resources. So most often threat actors initially are using social engineering and not necessarily vulnerabilities in the infrastructure. So that is the vulnerability of our people versus the vulnerability of the infrastructure.
So, the hackers are attacking the CFO in order to do money transfers, attacking the IT administrators to gain full control of the Microsoft infrastructure, etc.
The recommended approach to this is to focus more on improving your e-mail security. E-mail is the primary threat vector. The second step is to improve your visibility. Who are the most important people in your organization when it comes to compromising via e-mail? These users should have more security awareness training than the normal user in your organization and you should monitor their overall progress to ensure that the risk of e-mail spoofing/phishing/BEC is reduced.
Besides protecting the email as the number 1 attack surface we also need to look at where people work, accept that the traditional perimeter is dissolving and you need to harden the perimeter around people and improve capabilities to protect employees wherever they work and whatever they connect to (do you see the link to zero trust?)
And while you are working on improving this you should also focus on protecting your data with the help of DLP.
Managed Detection & Response (MDR)
I have written a few blogs about this topic before (HERE and HERE) but my point is still relevant. You need to stop investing in preventive technology because the outcome from these is diminishing. If a new firewall was the solution to all the latest hacks/incidents we wouldn’t have seen them.
Detection & Response is the capability your organization needs to invest in to identify if you have a hacker in your network. It is no longer a matter if you are getting hacked but when and the statistics support us here. The average is still more than 200 days before an intruder is identified in an average organization’s network and the average cost for remediation is still above 3 million Euro for an average organization.
So why managed detection & response (MDR). The managed part is important because:
Your organization most likely will have trouble in recruiting the right skilled people and retaining them due to the huge lack of talented cyber security people.
The cost of operating the “SOC” internally will normally be 3-4 times more expensive due to investment in people, technology, and processes compared to an outsourced service. So the detection & response capability should in my opinion be strategical for the organization before having this capability internally.
The time implementing managed detection & response service in your organization is most often way lower than implementing your own service. In my opinion, we are comparing weeks/months to years. So if management is demanding detection and response capabilities NOW the MDR is the way to go.
Please also be aware that CIS20 control # 6, which is part of the basic controls, is in fact the analysis and monitoring of audit logs, highly related to detection and response.
I do hope that the above 4 areas have inspired you to start or continue your cyber security journey.