Physical security and cybersecurity are intrinsically connected. Unfortunately, most organizations still treat these security functions as separate disciplines and processes. Until recently, separating the two was justified because the technology to integrate physical and cybersecurity was not available. However, this is changing with the emergence of IoT and advances in both sensors and integrated systems. Organizations must make it a priority to create a single body for security policies, procedures and deployments. Today’s security programs require a holistic approach to be proactive and productive.
One of the top questions I receive from both government agencies and enterprises is, “what can we do to become proactive in our security efforts?” Most of today’s security programs are built to react to an attack after it happens, and the damage has already occurred. Below are a few best practices to help enterprises become more proactive when it comes to security.
- Security is everyone’s responsibility. Proactive organizations know security covers all parts of the business. If an enterprise is compromised, the effects go wide and far from not just an IT infrastructure perspective, but it affects branding, reputation, and trust. For enterprises, the monetary repercussions from a breach are a tenth of the cost of rebuilding its brand and reputation. As I stated in previous articles, World War 3 is underway and the prize is information. As my friend and colleague, Bob Pearson, astutely notes, “Assume that you are always behind on what’s next, to increase your ability to learn.”
- Organizations must invest in not just technology and process, but understanding each constituents roles and responsibilities (i.e., marketing with the brand, reputation and disinformation, IT and DevOps with uptime and business continuity, finance with budgeting, compliance and controls). Moreover, Pearson states, “proactive organizations must invest in teaching their employees to understand how to think like a bad actor and collectively work to anticipate where and what they will do.” Because information is the prize, the lines between physical security, cybersecurity and disinformation are non-existent. With the explosion of social media, disinformation campaigns from foreign entities have created a new threat to national security.
- Develop, deploy and consistently update your cybersecurity playbook. Playbooks are how IT and security teams provide the organization with a clear understanding of what to do and how to respond to a cyber attack. An efficient security playbook’s three main components include incident response, security incident triage and a communication action plan. We recommend outsourcing this function to providers like Accenture, Capstone-IPS, CyberHat, Deloitte, EY, Next Security Group and Sixgen on the consulting and implementation side. Technology vendors such as Cisco, Palo Alto Networks, HPE, Dell Secureworks and others offer services to help deploy a practical playbook based on their solutions. However, when developing a playbook, it is essential to ensure these solutions (especially SIEM, firewalls and IPS/EPS solutions) are tuned-up to reduce incident noise and eliminate false positives. Outsourcing playbook development ensures organizations have objective, up-to-date and relevant insights to help reduce their attack surfaces.
- As the number of network-connected devices grows exponentially, IT organizations must have the ability to discover unmanaged assets within the network, from public and hybrid cloud environments, servers, workstations, laptops and even virtual environments like containers. Collecting asset intelligence and determining which software, services and configurations are installed on each IP-enabled endpoint gives security and IT professionals a more holistic view of their networks, which in turn helps them to defend against attacks. Automated asset discovery and endpoint inventorying improves customers’ cybersecurity posture, integrity and dataflow.
Most security teams underestimate the importance of performance monitoring, while IT operations tend to focus on performance monitoring and availability as the bellwether. Further, traditional unified endpoint management (UEM) and unified endpoint security (UES) tools scan devices for compliance or security vulnerabilities periodically and on an as-needed basis, typically monthly (sometimes weekly). Further complicating things, most IT departments employ a tortuous process to divvy the results amongst stakeholders and system owners.
Although performance monitoring is a viable way to determine when a system is failing or needs maintenance, it can also identify anomalies such as attackers dumping database tables or changes in the master-boot-record (MBR), a significant signature of ransomware attacks. By creating agreed-upon performance metrics at the endpoint, both IT operations and security teams can eliminate friction and improve their devices’ overall performance and integrity. Additionally, effective endpoint management platforms must have the ability to monitor hourly, daily, weekly or more frequently, from a single interface that enables both IT operations and security teams to take action when and where the response is needed. Intelligence and monitoring are the foundations for effective incident response programs. Companies like Citrix, Microsoft, Tanium, VMware and 42Gears all provide viable endpoint management and security software.
Proactive cybersecurity is something every organization should strive for. Unfortunately, most CIOs budget and plan for a post-breach world. As information and data are the primary targets for most hackers/crackers, enterprises need to change their mindset. In addition to compromising data, a successful cyber attack can result in legal and financial consequences, and potentially unrepairable damage to the organization’s brand/image.