As emerging and state-sponsored threats continue to escalate, security professionals report lower confidence in their ability, or specifically in their organization’s ability to properly detect and respond to threats. This article from Dark Reading by Ericka Chickowski sums up the issues involved.
As previously mentioned on the Chi Corporation blog, strong senior leadership in a company is what is required in order to stay protected from these threats. It requires spending more on personnel, spending more time on strategy and security design, and implementing controls and auditing that are not popular, even among IT staff.
Any large organization will require around-the-clock monitoring and the ability to intelligently respond to threats as they appear. Tools and packages put together to automate this process, such as SIEM (Security Information and Event Management), are part of the solution. Advanced firewall solutions that give insight into application level net flows are also important. Having the staff able to respond to an attack at, say, 1AM on New Year’s Day is vital. Attackers, state sponsored or otherwise, know when we are most vulnerable and most unlikely to be aware of breaches.
It is also vital to have a strategy to deal with an attack. Perhaps your data is so valuable that cutting off an exfiltration in process is more important than preserving ongoing operations. A SIEM could respond by simply cutting off access to the Internet. Few organizations have that much freedom. Operations must continue in spite of attacks, whether successful or not. Security has to be adjusted in real time while maintaining full access to continue operations. These decisions based on type and extent of breach should be made while not in the heat of battle. This includes escalation procedures and pre-authorized authority to make adjustments to firewall and other security settings.
Security design is another important aspect of being prepared. Too often organizations are constantly playing catch-up to the findings of one audit after another. Their overall security posture increases somewhat after a good audit, but in this reactionary mode, the overall design is neglected. If your security personnel are always in the catch-up mode, you are not providing them with the staff, tools, or authority they need in order to make strategic decisions and changes.
Implementing best practice controls and auditing are often unpopular among IT staff, however they are vital for multiple reasons. Take the best practice of least privilege as an example. A new employee to an organization may be granted basic permissions, but should not be granted sweeping permissions. This applies also to a new IT staff member. Help desk staff members whose user accounts are global administrators in active directory. In between calls they browse the web and contract some malware. Now suddenly an attacker with a compromised Active Directory administrator account with full access to all PCs and servers is able to spread laterally anywhere it chooses without any further tools. Even if the original offending PC is cleaned, a back door may be on any number of other systems for later exploit. Instead, requiring IT staff to maintain separate accounts for desktop administration, server administration, local browser and email use, and remote VPN access provides the best chance of containment should any one of those be compromised. Often times, barriers to the speed of an infiltration from a determined, intelligent attacker is all that can be done, and it is up to intelligent staff to react to compromises before the infiltration spreads significantly.
These are just some basic ideas. Note that I used the term “intelligent staff.” I am not implying that some staff is not intelligent, but rather I am trying to differentiate between someone reading out of a play book, or a logic tree, with someone who can analyze what they are seeing and make informed decisions. This is a game of chess, not tic-tac-toe.
If your organization needs anything from a tune up to a complete overhaul in any of these areas, Chi Corporation is here to help. Give us a call or contact us via the form on this website.
